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Description 

FIELD OF THE INVENTION 

[0001] The present invention generally relates to a 
method and apparatus for providing digital information 
with enhanced security and protectbn. More particular- 
ly, the invention relates to a method and apparatus for 
providing enhanced computer system security while 
processing computer programs, particularly those of un- 
known origin, which are transmitted among users. 

BACKGROUND AND SUMMARY OF THE 
INVENTION 

[0002] The potentially devastating consequences of 
computer "Viruses 1 ' have been widely publicized. A com- 
puter virus may be viewed as a computer program 
which, when executed, results in the performance of not 
only operations expected by the user, but also unexpect- 
ed, often destructive, operations buift into the program. 
A computer virus may also be viewed as a program 
which, when executed, takes a part of its code and plac- 
es such code in other programs to thereby infect the oth- 
er programs. The virus may modify other programs with- 
in the system, set various traps in the system, alter var- 
ious control programs, erase or otherwise modify files 
in the system, etc. 

[0003] Such a virus is typically maliciously construct- 
ed to have such undesirable side effects which damage, 
probe or compromise the user's data in unexpected 
ways. Problems with computer viruses are often com- 
pounded by the fact that the virus controlling program is 
typically executed "implicitly 0 when the user accesses 
certain necessary data so that the user is not even 
aware that the destructive program is executing. 
[0004] The present invention provides protection from 
such viruses and also from programs which execute on 
a system but which are not actual computer virus carri- 
ers. In this regard, a program may have an unintended, 
adverse impact on a computer system and/or associat- 
ed data. For example, an executing program may inad- 
vertently cause certain user data to be sent to a third 
party. Such a program may have been the result of a 
programming error or may have been intentionally de- 
signed to cause a particular problem. 
[0005] Prior art operating systems are typically de- 
signed to protect data from computer users. In such sys- 
tems, users are often assigned various authorities and 
are thereafter able to execute programs based on their 
associated authority. If a program is executing which ex- 
ceeds the user's assigned authority, then such a system 
will halt execution of the program. Such prior art systems 
do not adequately protect computer users from compu- 
ter viruses or the like. 

[0006] There are security systems which protect cer- 
tain "system" related files from being modified by a pro- 
gram. However, such systems do not typically protect a 


computer user from a program executing and modifying 
the user's own files. 

[0007] EP-A-0 026 590 discloses a system in which 
capability registers are used to control access rights to 

5 certain blocks of memory in a time-shared computer 
system. In particular, the document is concerned with 
the provision of enhanced capability loading arrange- 
ments, the general idea of capability registers being well 
known. The document does not disclose a system which 

io is suitable for protecting a user from the possible actions 
of an unknown incoming program. 
[0008] A paper by G S Graham et al, "Protection-Prin- 
ciples and Practice" Proc. Spring Joint Computer Conf 
Vol. 40, 1972 ATLANTIC CITY, US; pages 417-429 is 

'5 directed to a mainframe computer system of the early 
and mid 1 970s, ie a shared access system in which nu- 
merous users share combined resources. The docu- 
ment is directed to the protection of the shared resourc- 
es from programs that might include destructive func- 

20 tions. The document states specifically that it is not di- 
rected to providing 'certified subsystems' but simply pro- 
tecting shared resources. Further the protection is relat- 
ed to the authority of the user running the program. The 
system is not appropriate for protecting a user from the 

25 possible actions of an unknown incoming program. 
[0009] A paper by S.T. Vinter, "Extended Discretion- 
ary Access Controls" IEEE Symposium on Security and 
Privacy, 21 April 1988, Oakland, US; pages 39 - 49 is 
directed to controlling access to objects using access 

30 control lists to authorise access to objects and exten- 
sions to conventional access control lists are disclosed. 
The disclosure relates to controlling the access of users 
to objects and not to protecting a user from the possible 
actions of an unknown incoming program. 

35 [0010] The present invention is directed to providing 
reliable security, even when operating with complex da- 
ta structures, eg objects, containing their own program 
instructions, which are transmitted among users. The 
present invention also provides enhanced security 

40 when processing more conventional programs, even 
those of questionable origin, eg from a computer bulletin 
board, without exposing system programs or data to the 
potentially catastrophic consequences of computer vi- 
ruses or of incompetent programming. 

45 [0011] According to a first aspect of the present inven- 
tion there is provided a computer system having 
processing means for executing a plurality of incoming 
programs and a memory means for storing program in- 
structions and data, comprising an apparatus for pro- 

50 tecting a computer user from operations typically per- 
formable by a computer program executing on behalf of 
a user, said apparatus comprising: 

means for generating a hash of at least one instruc- 
ts tion of said incoming programs; 

means for storing a plurality of authorisation entries 
in said memory means, wherein said entries qualify 
operations which an associated program is permit- 
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ted to perform when executed by said processing 
means; and 

means for storing in at least one segment, data for 
associating said authorization entries with at least 
one program. 

[0012] According to a second aspect of the present 
invention there is provided a method of operating a com- 
puter system including processing means for executing 
a plurality of incoming programs and memory means for 
storing at least one program, said computer system hav- 
ing a plurality of computer resources and being capable 
of performing a wide range of information processing re- 
lated functions under program control, said method be- 
ing for protecting a computer user from operations typ- 
ically performable by a program while it is executing on 
behalf of a user, and comprising the steps of: 

generating a hash of at least one instruction of said 
incoming program; 

establishing a program authorising information data 
structure for storing a plurality of authorisation en- 
tries each indicating at least one of those computer 
resources and information processing related func- 
tions which may be used by an associated program; 
storing said program authorising information data 
structure; and associating the program authorising 
information data structure with at least one program 
to be executed by said computer system to thereby 
protect the computer user from operations that 
might be performed by said at least one program, 
whereby the program authorising information is 
available to be monitored when its associated pro- 
gram is executed. 

[0013] According to a third aspect of the present in- 
vention there is provided a method for executing pro- 
grams in a computer system having means for execut- 
ing a plurality of incoming programs and a memory 
means coupled to said means for executing, for storing 
data and program instructions, said computer system 
being capable of performing a wide range of information 
processing related operations under program control, 
for a computer user, said method comprising steps of: 

identifying a program to be executed; 

generating a hash of at least one instruction of said 

program to be executed: 

determining whether a program authorising infor- 
mation data structure has been associated with the 
program, wherein said program authorising data 
structure qualifies the ability of the program from 
performing information processing related opera- 
tions which are available to said computer user; 
examining said program authorising information da- 
ta structure if one has been associated with said 
program; 

determining from an examination of said program 


authorisation information whether the associated 
program is allowed to perform an attempted infor- 
mation processing related operation; and 
suppressing performance of said operation if said 
5 program authorising information data structure in- 
dicates that said program is not allowed to perform 
an attempted operation. 

[0014] The present method and apparatus utilizes a 

?0 unique operating system design that includes a system 
monitor which limits the ability of a program about to be 
executed to the use of predefined resources (eg data 
files, disk writing capabilities etc). The system monitor 
builds a data structure including a set of authorities de- 

is fining that which a program is permitted to do and/or that 
which the program is precluded from doing. 
[0015] The set of authorities and/or restrictions as- 
signed to a program to be executed are referred to here- 
in as "program authorization information" (or "PAI"). 

20 once defined, the program authorization information is 
thereafter associated with each program to be executed 
to thereby delineate the types of resources and func- 
tions that the program is allowed to utilize. The PAI as- 
sociated with a particular program may be assigned by 

25 a computer system owner/user or by someone who the 
computer system owner/user implicitly trusts. 
[0016] The PAI defines the range of operations that a 
program may execute and/or defines those operations 
that a program cannot perform. The program is permit- 

30 ted to access what has been authorized and nothing 
else. In this fashion, the program may be regarded as 
being placed in a program capability limiting "safety 
box". This "safety box" is thereafter associated with the 
program such that whenever the system monitor runs 

35 the program, the PAI for that program is likewise loaded 
and monitored. When the program is to perform a func- 
tion or access a resource, the associated PAI is moni- 
tored to confirm that the operation is within the defined 
program limits. If the program attempts to do anything 

40 outside the authorized limits, then the program execu- 
tion is halted. 

[0017] Thus, the present invention advantageously 
protects a user from any'program to be executed. The 
present invention is particularly advantageous in light of 
45 current data processing practices where programs are 
obtained from a wide range of diverse, untrustworthy 
places such as computer bulletin boards or other users 
of unknown trustworthiness. 

[0018] In developments of the present invention the 
50 above-described PAI may be, together with the program 
itself (or a hash of the program), digitally signed by some 
entity that the user trusts. When digital signatures are 
used to validate the PAI, the aforementioned PAI mon- 
itoring will also involve verifying a digital signature on a 
55 PAI to ensure that it belongs to an entity trusted by the 
user and that it is properly authorized and that it and the 
associated program have not been tampered with. 
[0019] A development of the present invention may 


5 

comprise the use of the hierarchical trust digital signa- 
ture certification systems such as that described in the 
inventor's U.S. Patent Numbers 4,868,877 and 
5,005,200. In accordance with the teachings of these 
patents, it is possible for a single high level authorizing 
entity to securely delegate the authority to authorize pro- 
grams among a number of other entities and to require 
co-signatures at any level, thereby inhibiting the possi- 
bility of error, fraud by the authorizing agents them- 
selves. This allows a single software validation group to 
service a large population, thereby substantially reduc- 
ing the per capita expense to each user. 
[0020] In one contemplated embodiment of the 
present invention, programs may be part of data objects, 
which are written in a high-level control language and 
are executed by a standardized interpreter program 
which executes this high-level language. In this case, 
part of the interpreter's task is to verify that the functions 
encountered in the high level logic are, in fact, permis- 
sible. If such tasks are not permissible, the interpreter 
then suppresses the execution of the program not au- 
thorized to perform such tasks. 
[0021] Many advantages flow from the use of the 
present invention. For example, the present invention 
advantageously serves to bind limitations to programs 
so that it becomes impossible for covert programs or vi- 
ruses to be introduced into the system. Users are pro- 
tected through specifying details as to the functions that 
may be performed to ensure that programs which are 
intended for one function do not accidentally or inten- 
tionally crossover and affect other unrelated or critical 
resources (so as to effect the spread of computer virus- 
es). Through the use of the program authorization infor- 
mation in the manner described herein, it is possible for 
users to protect themselves against the programs they 
execute. 

[0022] Administrative agents can effectively limit the 
scope of programs without the need to comprehend 
every aspect of the program's logic. Administrators can 
authorize and limit programs based on their intended 
functions and definitions to thereby reduce the dangers 
of program defects. In this fashion, the dangers of the 
distraught or mischievous programmer who might try to 
plant a software "time bomb" or virus can be limited. 
[0023] At least some embodiments also permits dig- 
ital signatures to verify the PAL Thus, programs can be 
freely and safely exchanged within a large population, 
where all members trust the common high-level signing 
authority. 

[0024] Even programs with no known trustworthiness 
can be used after program authorization information as- 
sociates a wide range of restrictions to thereby allow po- 
tentially beneficial programs to be safely used - even if 
they do not have an official certification of trust. 
[0025] At least some embodiments also allow an un- 
limited number of different resources and functions to 
be controlled. For example, some useful resources/ 
functions which may be controlled include: the ability to 


6 

limit a program to certain files or data sets; the ability to 
transmit data via electronic mail to someone outside the 
user's domain; the ability of a program to create or solicit 
digital signatures; the ability to limit access to a program 
5 of certain security classes, etc. 

[0026] At least some embodiments also provide the 
ability to limit whether a program can perform digital sig- 
nature operations and limit how such signatures must 
be performed. In many cases, when a program is in- 
fo vorved in soliciting a digital signature from a user, it is 
up to the program to make the user aware of the data 
to which the signature is being applied. Such is likely to 
be the case with electronic data interchange (EDI) trans- 
actions. In this case, it is conceivable for a mischievous 
*5 application program to show the user one set of data 
and yet feed another set of data for signature. In this 
case, the program has tricked the user into digitally sign- 
ing totally different information than that which the user 
has been led to believe. The present invention provides 
20 a mechanism which protects the user from programs 
which solicit digital signatures. 
[0027] Through the use of the present invention, gen- 
eral object oriented data may be transferred from user 
to user without exposing users to the potential dangers 
25 of viruses or mischievous users. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0028] These as well as other features of this inven- 
30 tion will be better appreciated by reading the following 
description of the preferred embodiment of the present 
invention taken in conjunction with the accompanying 
drawings of which: 

35 FIGURE 1 shows in block diagram form an exem- 
plary communications system which may be used 
in conjunction with the present invention; 

FIGURE 2 is an illustration of a program authoriza- 
40 tion information data structure; 

FIGURES 3A-3D illustrate exemplary methods for 
associating program authorization information with 
a program; 

45 

FIGURE 4 is a general flowchart illustrating how a 
user may use the present invention in conjunction 
with a program of unknown origin; 

50 FIGURE 5 is an illustration of a program control 
block data structure in accordance with an exem- 
plary embodiment of the present invention; 

FIGURES 6, 7, 8, 9A and 9B are a flowchart delin- 
ks eating the sequence of operations of a program for 
establishing program authorization information; 

FIGURES 10 and 11 illustrate the sequence of op- 
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erations performed by a supervisor program in 
processing program authorization information. 

DETAILED DESCRIPTION OF THE DRAWINGS 

[0029] FIGURE 1 shows in block diagram form an ex- 
emplary communications system which may be used in 
conjunction with the present invention. The system in- 
cludes a communications channel 1 2 which may, for ex- 
ample, be an unsecured channel over which communi- 
cations between terminals A, B,... N, may take place. 
Communications channel 12 may, for example, be a tel- 
ephone line. Terminals, A, B, ...N may, by way of exam- 
ple only, be IBM PC's having a processor (with main 
memory) 2 which is coupled to a conventional keyboard/ 
CRT display 4. Additionally, each processor is prefera- 
bly coupled to a non-volatile program and program au- 
thorization information (PAI) storage 7 which may be a 
disk memory device. Each terminal, A, B...N also in- 
cludes a conventional IBM communications board (not 
shown) which when coupled to a conventional modem 
6, 8, 10, respectively, permits the terminals to transmit 
and receive messages. 

[0030] Each terminal is capable of generating a mes- 
sage performing whatever digital signature operations 
may be required and transmitting the message to any 
of the other terminals connected to communications 
channel 12 (or a communications network (not shown), 
which may be connected to communications channel 
1 2). The terminals A, B...N are also capable of perform- 
ing signature verification on each message as. required. 
[0031] Figure 2 is an illustration of an exemplary pro- 
gram authorization information (PAI) data structure. The 
PAI includes a set of authorizing specification segments 
22-38 and a set of authorizing signature segments 
40-48 (which may be optional in certain situations). 
[0032] A header segment 20 precedes the authorizing 
specification segments, and defines the length of the 
program authorization information which follows. The 
field length information permits the programmer to read- 
ily determine the extent of the associated authorization 
information in memory. Thus, if, for example, an object- 
oriented data structure (to be described below in con- 
junction with Figure 3C) were to be utilized, field 20 
would serve to identify the point at which program au- 
thorization information segment 116 ends to locate pro- 
gram segment 118 shown in Figure 3C. 
[0033] Segments 22 and 24 are "hash" related seg- 
ments. As will be appreciated by those skilled in the art, 
a "hash" is a "one-way" function in which it is computa- 
tionally infeasible to find two data values which hash to 
the same value. For all practical purposes, the value ob- 
tained from applying the hashing function to the original 
aggregation of data is an unforgeable unique fingerprint 
of the original data. If the original data is changed in any 
manner, the hash of such modified data will likewise be 
different. 

[0034] The hashing of related segments insures 


against the possibility that a properly authorized pro- 
gram in accordance with the present invention will be 
later tampered with to result in a modified program. By 
storing the program hash in segment 24, the hash may 
s be later checked to insure that the associated program 
has not been modified after it has been authorized. In 
segment 22, an identifier is stored to uniquely identify a 
particular hashing algorithm. 

[0035] The PAI may optionally include a segment 26 
io which identifies the type of program (or object) to, for 
example, indicate that the associated program is a ma- 
chine language program, an executive program of a par- 
ticular type, etc. By providing data identifying the type 
of program, the system is provided with some informa- 
is tion regarding the nature of the operations to be per- 
formed by the program. Such information can provide 
an indication that something unexpected (and perhaps 
mischievous) is occurring. The PAI may also includes 
fields identifying the name of the program at the time it 
20 was signed (segment 28) and the date of authorization 
(segment 29). 

[0036] Section 30 is a segment which defines the size 
of the following series of authorization related entries. 
This field allows the remaining entries to be delimited as 
25 desired. 

[0037] Each authorization entry which follows in- 
cludes a segment defining the size of the particular entry 
(32). Each entry likewise includes a segment 34 identi- 
fying the type of function or resource 34 to which it re- 

30 lates. A wide range of functions may be defined such 
as, for example, whether the program may have the right 
to authorize other programs to solicit digital signatures. 
Segment 36 specifies a specific function/resource fall- 
ing within the generic type identified in segment 34. For 

35 example, specific user files may be designated in seg- 
ment 36 to more specifically identify the "files" specified 
in segment 34. Segments 34 and 36 may, if desired, be 
combined in a single segment. The reference to "wild 
card" in segment 36 is intended to, for example, indicate 

40 that a program may access any file having a predeter- 
mined prefix or suffix. For example, a designation °A* B 
would indicate that the program may access any file 
identified by a tag beginning with °A". Similarly, the seg- 
ment 36 may include an entry *DATA which may signify 

45 that the program may access any file ending with "DA- 
TA" or may alternatively signify that the program can not 
access the designated set of files. Such an entry may 
also indicate that the program can alter any program 
files. Segment 36 may thus specify not only what the 

50 program can do, but also what the program is not au- 
thorized to do. 

[0038] Segment 38 shown in Figure 2 specifies the 
level of authority which has been granted. For example, 
segment 38 may specify that the program is granted a 
55 level of authority permitting reading from a predeter- 
mined set of files, but is denied the authority to alter, or 
delete any such files. 

[0039] If the PAI is to be made available to different 
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users (by virtue of the program being transmitted to de- 
sired recipients), then it may become desirable for the 
PAI to be digitally signed. Even within a single organi- 
zation, it may be desirable to include an optional author- 
ization signature. 

[0040] The authorization signature includes a signa- 
ture segment 40. The signature segment 40 may include 
a reference to the signer's certificate, i.e., an identifier 
for identifying the signer's certificate. In accordance with 
a preferred embodiment of the present invention, such 
a digital certificate is a digital message created by a 
trusted entity which contains the user's public key and 
the name of the user (which is accurate to the entity's 
satisfaction) and possibly a representation of the author- 
ity which has been granted to the user by the party who 
signs the digital message. Such a signer's certificate is 
preferably created utilizing the teachings of the inven- 
tor's U.S. Patent Nos. 4,868,877 and 5,005,200. In ac- 
cordance with these patents, the certificate is construct- 
ed by the certifier to include the authority which is being 
granted and limitations and safeguards which are im- 
posed including information which reflects issues of 
concern to the certifier, such as, for example, the mon- 
etary limit for the certifiee and the level of trust that is 
granted, to the certifiee. The certificate may also specify 
co-signature and counter signature requirements being 
imposed upon the certifiee, as specifically taught in the 
above -identified U.S. patents. 

[0041] The signature segment 40 may also include 
the signing date, and algorithm identifiers for both the 
hash and public key. The segment 40 additionally in- 
cludes the authority invoked for signing which specifies 
one or more authorities designated in a certificate to, for 
example, grant the authority to authorize programs to 
modify a predetermined file. Additionally, the signature 
will include a hash of the authorizing specification, e.g., 
including the entirety of segments 20 through 38 de- 
scribed above. 

[0042] The result of the signer's private key operation 
on the items identified in segment 40 is stored in seg- 
ment 42. This may be a standard digital signature such 
as defined in X.500 or may be in accordance with the 
enhanced digital signature teachings of the inventor's 
above -identified U.S. patents. Additional (a possible 
second to possible Nth) signatures (cosignatures) may 
be stored as indicated in segments 44, 46. Optionally, 
the authorization signature may also include the digital 
certificate for the above signatures in a segment 48. Al- 
ternatively, such certificates may be accessible from an 
identified data base (although it may be preferable to 
include the digital certificates for associated signatures 
so that signatures may be verified without the need to 
access any such data base). The segments 40 through 
48 constitute the authorization seal which is associated 
with the authorization specification described above. All 
further details regarding the digital certification/digital 
signature techniques referenced herein may be per- 
formed with any digital signature technology including 


standard technology such as X.500 or enhanced tech- 
nology such as in accordance with the above-identified 
U.S. patents. 

[0043] In accordance with the present invention, a PAI 
5 is associated with programs to be executed. Figures 3A 
through 3D depict four exemplary approaches for asso- 
ciating program authorization information with a pro- 
gram. Turning first to Figure 3A, this figure exemplifies 
how program authorization information is stored, under 
io access control, in association with a program. Figure 3A 
shows an exemplary schematic representation of a sys- 
tem's directory of programs. The directory includes data 
indicative of the name of each of the programs 1, 2...N 
(80, 86.. .92 , respectively). 
75 [0044] Associated with each program name identifier 
is an indicator 82, 88, 94, respectively, which identifies 
the location on disk 98 of the associated program, for 
example, program 1 (104). 

Additionally, associated with each of the program relat- 
20 ed identifiers is an indicator 84, 90,... 96, respectively, 
which identifies the location of its associated program 
authorization information, e.g., PA1 1. Although the pro- 
gram authorization information, PA1 1 , is depicted as be- 
ing stored in a separate memory device 100, it may, if 
25 desired, be stored in the same memory media as its as- 
sociated program. As indicated above, the program au- 
thorization information associated with a program may 
or may not be digitally signed depending upon whether 
the program authorization information has been gener- 
30 ated by the user himself (in which case it may need not 
be signed) or has been generated by a third party in 
which case the PAI frequently should be signed. 
[0045] Figure 3B shows another approach to associ- 
ating a PAI with a program. In this approach, the pre- 
ss gram authorization information 1 1 0 is embedded with a 
program 112. As described above in conjunction with 
Figure 3A, the authorizing information may optionally be 
digitally signed depending upon the source of the PAI. 
[0046] Figure 3C shows an important application in 
40 which a PAI data structure is associated with a program 
according to an embodiment of the present invention. 
Figure 3C shows an illustrative data structure for a se- 
cure exchangeable "object". The data structure may be 
signed by a trusted authority. The signing of such a data 
45 structure allows the object to be securely transmitted 
from user to user. Although the data structure shown in 
Figure 3 is set forth in a general format, it may be struc- 
tured as set forth in the inventor's copending application 
filed on April 6, 1992 and entitled "Method and Appara- 
so tus for Creating, Supporting and Processing a Travelling 
Program" US Patent No. 5,337,360. 
[0047] The data structure includes a header segment 
1 1 4 which, by way of example only, may define the type 
of object that follows, e.g., a purchase order related ob- 
55 ject or any other type of electronic digital object. The 
program authorization information is embedded in a 
segment 116 which specifies the authorization for the 
object's program or programs in a manner to be de- 
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scribed more fully hereinafter. 

[0048] The data structure includes an object program 
(s) segment 118, which for example, may control the 
manner in which an associated purchase order is dis- 
played so as to leave blanks for variable fields which are s 
interactively completed by the program user The object 
program might store such data and send a copy of itself 
together with accompanying data in a manner which is 
described in detail in the applicant's above-identified co- 
pending application. As indicated in Figure 3C, the pro- 
gram may be divided into several logical segments to 
accommodate different uses of the object. For example, 
the program may present a different display to the cre- 
ator of a digital purchase order, than it displays to sub- 
sequent recipients. When the program is received by a 
recipient designated by the program, the recipient in- 
vokes a copy of the transmitted program to, for example, 
control the display of the purchase order tailored to the 
needs of the recipient. The recipient may verify all re- 
ceived data and add new data and the program may 
then send itself via the recipient's electronic mail system 
to, for example, a user who will actually ship the goods 
purchased. 

[0049] The data structure shown in Figure 3C addi- 
tionally includes data segments 120 associated with the 
object which include a "variables" segment and data 
files segment, preferably as described in the above- 
identified patent application. The data segment 1 20 may 
be partitioned such that data associated with each ver- 
sion or instance of the object will be separately stored 
and separately accessible, since different users may 
have different uses for the data structure shown in Fig- 
ure 3C. 

Therefore, the data will vary depending upon how it is 
collected from each user The program 118, however, 
will preferably remain intact for each user. The trusted 
authority will sign the program together with the program 
authorization information (PAI) since it is the program 
itself which needs to be authorized rather than the data 
that is input in response to each execution of the pro- 
gram (since the data may change during each execution 
path and also since it is the program's responsibility to 
ensure that accurate digital signatures are properly col- 
lected on the input data). 

[0050] Figure 3D exemplifies a situation in which 
many users access the same program (image) -- each 
having their own (possibly distinct) Program Authoriza- 
tion Information 129 associated with it and maintained 
in a specific file belonging to the user. Figure 3D shows 
a system program directory 131, which identifies via an 
indicator associated with a program name, the location 
on a disk 132 of a program X. In this case, whenever 
program X is invoked by a user, the system checks to 
determine if the user has private PAI specification(s) (e. 
g., 133, 135, 137) that can be associated with that pro- 
gram. Thus, different users may limit a program accord- 
ing to their own needs and perception of trust. This can 
be useful, for example, when users with great inherent 


authority, or who have been granted access to very im- 
portant information, must occasionally execute "pedes- 
trian" programs for mundane purposes. In this case, it 
may be prudent for such critical users to define a "safety 
box" around some (or many, or all) "pedestrian" pro- 
grams, so that such programs may not inadvertently 
contain "trojan horses" or other faults which might affect 
their own especially critical data. 
[0051] Therefore, such users could define general 
PAI "association 0 , so that a protecting PAI could be au- 
tomatically associated with all programs -- except per- 
haps the select trusted few programs which handle cru- 
cial data. 

[0052] The present invention allows PAI information 
to be associated in any appropriate manner, so that in 
principle a user could define one or more levels of PAI 
which are then combined together with perhaps a more 
universal PAI, or with a PAI which was signed and sup- 
plied by the or manufacturer of this program. 
[0053] The present invention contemplates that the 
association between a program and its PAI can be con- 
structed very generally so that, if necessary, one pro- 
gram could be associated with multiple PAI's, or con- 
versely, that one PAI could be applied to multiple pro- 
grams; or some combination of these approaches. It 
therefore should be understood that, while for purposes 
of simplicity we generally discuss a single PAI in con- 
junction with a single program, this should not be con- 
sidered in any way limiting. 

[0054] Figure 4 is a flowchart which illustrates how a 
user may benefit from the use ol program authorization 
information, particularly when executing a program of 
unknown trustworthiness. As indicated in block 121, a 
user may have a desire to execute a program of interest 
in which the user has no knowledge of the program's 
creator. Thus, the program has unknown trustworthi- 
ness and may, for example, have been accessed via an 
electronic bulletin board and may have arrived at the us- 
er's terminal via a telecommunications channel or dis- 
kette. Such a program, which might purport to be only 
a game, carries with it a significant risk that it may be 
infected by a virus. 

[0055] As indicated in block 1 22, the user may be pro- 
tected by defining program authorization information 
which restricts the program to only unimportant or ex- 
pendable files. If desired, the user may restrict such a 
program from modifying any files whatsoever. For ex- 
ample, the user may permit the program to only display 
images on the display screen and to perform game play- 
ing related functions. Alternatively, if the program is 
known to have a single work file, the PAI data may only 
permit use of such a single file. By limiting access only 
to a single work file, a program of unknown trustworthi- 
ness, cannot inject a virus into other user's programs or 
otherwise initiate system program malfunctions. Thus, 
in accordance with the present invention, a user, via a 
systems program, determines how much of the user's 
system will be put at risk by such a program so as to, 
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for example, completely eliminate the ability of the pro- 
gram to use any privileged functions. The user then as- 
sociates, for example, through an operator prompting, 
menu-driven system, a PAI with every program to be run 
on the system (or have such PAI or lack of PAI associ- s 
ated through predetermined default mechanisms). A 
system utility program is preferably employed to create 
the program authorization information in a manner 
which will be described in detail below in conjunction 
with Figures 6-9. 

[0056] After the PAI has been assigned, any time the 
system runs the associated program, the system soft- 
ware (in a manner to be described below) insures that 
the program safely runs in a manner consistent with the 
PAI. Thus, the program has been effectively placed in a 
"safety box" (124). 

[0057] Turning back to Figure 1, a program of un- 
known trust may be injected into the system via com- 
munications channel 1 2 or from a floppy disk loaded into 
terminal A. The program may be initially stored in, for 
example, the user's program disk memory 7. Thereafter, 
the user on keyboard 4 will, through interaction with the 
system's program identified above (with respect to block 
122 of Figure 4), associate the program authorization 
information with a program (in a manner such as shown 
in Figures 3A through 3D) such that the program may 
safely run on the user's system or perhaps, a PAI arrives 
with the program, in which case it is likely to be signed. 
[0058] Figure 5 is an illustration of a program control 
block (PCB) data structure 140 in accordance with an 
exemplary embodiment of the present invention. The 
program control block 140 is the data structure utilized 
by the system monitor to control the execution ol an as- 
sociated program. 

[0059] The program control block 140 is loaded with 
program authorization information such that the PAI can 
be readily referenced as the associated program is ex- 
ecuted so as to insure that the program performs func- 
tions and accesses resources in conformance with its 
assigned authorizations. The program control block as- 
sociated with the program to be executed is located in 
a storage area which cannot be modified by the pro- 
gram. 

[0060] As shown in Figure 5, an originating program 
(whose PCB is identified at 180) calls a program (having 
a PCB 170) which will, in turn, will call the program 140 
is shown in detail in Figure 5. Each new PCB will include 
a field such as 1 50 that points to the "previous" or calling 
program control block. A field may also be utilized to 
identify the "next" program control block file. 
[0061] When a called program finishes executing, the 
system removes its associated PCB from the top of the 
executed stack, removes the associated program from 
storage, removes the associated authorizing informa- 
tion and accesses the program control block immediate- 
ly below it in the stack. When another program is called, 
the reverse process occurs such that a new PCB is cre- 
ated which is placed on top of the stack, which again 


points to the previous PCB as indicated in field 150. 
[0062] The program control block also includes a field 
152 which is a pointer to the location in storage where 
the associated program is loaded, e.g., as indicated by 
memory segment 153, shown in Figure 5. Additionally, 
the size of the program is indicated in field 154 (which 
thus indicates the amount of storage which will be re- 
leased when the program finishes execution). 
[0063] A field 156 of the program control block iden- 
tifies the location in storage (157) of one or more PAI's 
(which are located in an area of storage which cannot 
be altered by associated programs). The PAI's pointed 
to by field 156 are preferably structured in the manner 
indicated in Figure 2 described above. 
[0064] Field 158 identifies the entry address for the 
associated program. If the program, during its execu- 
tion, calls another program, the field 158 is utilized to 
store the address at which program execution will be 
resumed, after the called program completes is execu- 
tion. 

[0065] The program control block also includes a set 
of locations (160) for storing status information such as, 
for example, program status words (PSW's), stack in- 
formation, etc. The program control block additionally 
includes a field 162 for storing information relating to an 
error or termination message if an error occurs during 
the execution of the program. Such a field may be avail- 
able to the calling program to identify, for example, why 
the program terminated unsuccessfully. Field 162 may 
store an indication that the program successfully termi- 
nated. 

[0066] The program control block 140 additionally in- 
cludes various pointers which are maintained so that 
stray resources can be released when the program ends 
(164). Such pointers are useful to permit the release of 
resources which, for example, a programmer neglects 
to release. 

[0067] Figures 6 through 9 is a flowchart illustrating 
an exemplary sequence of operations of a utility pro- 
gram for establishing program authorization informa- 
tion. Such a utility program prompts a user, i.e., the end 
user, the end user's agent, or even the manufacturer, to 
define a range of authorities which are associated with 
a program to be executed by the user's system. 
[0068] As shown in Figure 6, after entering the utility 
program for establishing the PAI (200), the user is 
prompted to supply the name of the program for which 
the PAI is to be established (202). Thereafter, the user 
is prompted to determine whether the PAI should be 
signed or not signed. The PAI need not necessarily be 
signed if the PAI is for the user's own use and protection 
or if this PAI can be stored under satisfactory access 
control. Depending upon the user's input in block 204, 
a determination is made (206) as to whether the user 
wishes to sign or does not wish to sign. If the user wishes 
to sign, then as indicated in block 208, a user's certifi- 
cate is retrieved and a flag is set for later testing to in- 
dicate that a signature operation is being performed. 
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The user's certificate may be a conventional digital cer- 
tificate or an enhanced digital certificate providing for 
the delegation of authority in accordance with the inven- 
tor's U.S. Patents No. 4,868,877 and 5,005,200. 
[0069] As indicated in block 210, the user is then 
prompted to designate what authority should be as- 
signed to the program,. It should be recognized that the 
authorities which follow (and the order in which they are 
presented) are provided for illustration purposes only 
and are not intended to be a complete list of all possible 
authorities which may be assigned in accordance with 
the present invention. 

[0070] As illustrated in Figure 6, a check is made to 
determine whether file access authority is to be invoked 
(212). A menu may be displayed to the user to provide 
for a selection of a file access authority (and each of the 
other authorities hereinafter referenced). It should be 
recognized that file access authority may be used to in- 
dicate authority with respect to any set of fields or file 
elements in a file, any set of data or data elements, or 
any set of files, etc. If the user selects file access au- 
thority, then the user will be prompted to specify a file 
name or a file stem or "wild card" file name pattern (21 4). 
As explained above, for example, a wild card file name 
pattern may be selected of the form DATA*, such that 
the program will be given the authority to access any file 
name beginning with the prefix "DATA 0 . 
[0071 ] Thereafter, the user will be prompted to specify 
the type of file access (216). In this regard, the user may 
specify that the program's authority shall be limited to 
one or more of: only reading from files, inserting infor- 
mation into files, updating information in files, deleting 
information from files, erasing files, transmitting a file, 
etc. If file access or any other authority identified below 
in Figures 6-8 is selected, then an indication of this se- 
lection is stored and the routine branches to block 274 
of Figure 9 which will be described below. 
[0072] If the user did not select file access, then a 
check is made to determine if this is a request to author- 
ize this program to invoke other programs (218). If so, 
then a determination is made (221) to ascertain what, if 
any, limitations or qualifications are to be established on 
which programs can be invoked. There are many ways 
that such qualifications could be defined and combined. 
For example, it may be that only one particular program 
name is allowed to be invoked; or perhaps only pro- 
grams with a name matching a certain ("wild card") pat- 
tern may be invoked. Perhaps the criteria would also 
contain a specification of the library, or set of libraries, 
in which permissible programs may reside. 
[0073] Another way of qualifying programs eligible to 
be called by this program would be to specify that the 
called program must have no greater authority than the 
calling program. Alternatively, depending on the author- 
ity and need (and on how the system chooses to com- 
bine the authority of invoking and invoked programs), it 
might be appropriate to require the invoked program to 
have no lesser authority than the invoking program. In 


fact, as part of this "invocation authority" qualification, it 
may even be appropriate to specify the method by which 
authority is to be combined with the called programs (e. 
g., by using the called program's natural authority, by 
5 using the most restrictive authority of the invoked and 
invoker, etc.). 

[0074] As used herein, any reference to a qualification 
or restriction, or limitation or permission of a specified 
authority is intended to include an entire rule specifica- 

io tion set based on any collection of appropriate criteria 
The terms "rule", "set of, "qualification", etc., are used 
in their most general sense, whereby a specification can 
be determined by any type of rule, or compound set of 
rules, which can distinguish elements by any attribute, 

is including, without limitation, for example: by direct spec- 
ification, by indirect specification, by exclusion, by a list, 
by a "wild card" rule, or any other way which distinguish- 
es elements by any appropriate attribute, method or cri- 
teria. Such distinction is intended to encompass speci- 

£0 fications that include only a single element, that exclude 
all elements, or that include all elements. The PAI may, 
in whole or in part, consist of any number of contiguous 
or discontiguous segments of data. In an appropriate 
context, there may be predefined rules which areformu- 

2S lated for that context, which are presumed in the ab- 
sence of any explicit qualification. 
[0075] The terms "indicate", "points to", "address of", 
etc., are generally intended to convey any type of ap- 
propriate association, including without limitation for ex- 

30 ample: direct specification, any type of pointer, refer- 
ence, association, hash, linking value common identifi- 
er, etc.; it may include any level of indirection; it may be 
explicit, or it may, as appropriate to the context, be im- 
plicit in the absence of any explicit association. 

3S [0076] The term "limitations" is intended to refer to the 
general notion of a limit - it frequently is used in the 
common sense of a "restriction" over normal capability, 
but it is also intended to reflect situations in which the 
limit is defined beyond normal capabilities. 

40 [0077] The present invention, while it primarily focus- 
es on defining functions which restrict the ability of a pro- 
gram to access resources normally allowed to users, 
could also, in an appropriate environment, be used to 
extend the capabilities beyond those normally allowed 

45 to a user. Thus, for example, programs whose PAI is 
signed by an authority recognized by the supervisor, 
could be allowed to perform extended functions. 
[0078] While some exemplary rules have been given 
regrading how the PAI should be verified, the particular 

so implementation could vary widely. As indicated, in some 
cases the PAI may not need to be signed at all - such 
as when the user defines the PAI himself, or when a 
trusted administrator stores the PAI in trusted access 
controlled storage. When the PAI is signed, there are 

55 any number of ways in which signature verification could 
be accomplished e.g., in accordance with the inven- 
tor's other patents, U.S. Patent Nos. 4,868,877 and 
5,005,200. It is likely that the user will have previously 
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stored information defining the ultimate public key or 
certificate whose signature the user trusts. 
[0079] Turning back to Figure 6, if the user did not se- 
lect program- invoking permission, then a check is made 
(220) todetermine if this is a request to specify situations 5 
in which this program may be invoked. If so, then a de- 
termination is made (223) to ascertain limitations or 
qualifications of such authority. One such specification 
might be that the program must be invoked directly by 
the user (and perhaps this would be the default in lieu 
of any specification); perhaps this program could only 
be invoked by programs with names from a specific list, 
or from specific libraries similar to the 'invoking author- 
ity" described above. Perhaps the program can only be 
invoked by programs with greater authority, or with less- 
er authority. Which rule is appropriate may be related to 
how the underlying system combines PAI authorizations 
for programs called by other programs. Another aspect 
of this qualification, may be to specify how the authority 
of this program is to be combined with the authority of 
an invoking program - e.g., whether this program's'ef- 
fective authority is restricted by the caller's. Many other 
possibilities are also available, perhaps even differing 
for each type of authority. 

[0080] Turning to Figure 7, if the authority identified in 
block 220 was not selected, then a check is made to 
determine whether the program is to be allowed to gen- 
erate electronic mail (222). If so, then a check is made 
as to whether this ability to generate electronic mail is 
to be qualified, e.g., restricted to certain individuals. If 
so, such further qualifications are specified by the user 
(224). 

[0081] If the authority identified in block 222 is not se- 
lected, then the user is asked as to whether the program 
is to be allowed to transmit data to other users (226). If 
so, the above-identified processing in block 224 is per- 
formed to determine any qualifications to this authority. 
[0082] If the authority identified in block 226 is not se- 
lected, then as indicated in block 228, a check is made 
to determine whether the program is allowed to perform 
"document release 0 operations. If so, then qualifications 
to this authority may be selected and stored by, for ex- 
ample, determining from the user the class of docu- 
ments to which the authority applies (e.g., top secret,, 
secret, sensitive, etc.). Alternatively, the documents to 
be released may not require "release" from a security 
point of view, but rather may relate to an engineering 
release of documents. In either event, any selected 
qualifications are recorded. 

[0083] If the authority identified in block 228 is not se- 
lected, then a check is made to determine if the program 
is to be allowed to execute machine language programs 
(232). This authority may be useful to prevent certain 
routines from inappropriately executing or being execut- 
ed as a machine language program. The user may be 
prompted to specify any appropriate qualifications 233. 
If the authority identified in block 232 is not selected, 
then a check is made to determine whether the program 


should be given any special memory access privileges, 
e.g., access to storage reserved for certain operating 
system programs (234). If so, then the user will be 
prompted to specify any qualifications to such access 
privileges as appropriate. 

[0084] If the authority identified in block 234 is not se- 
lected, then a check is made to determine whether the 
program should have the authority to display information 
to the user (238). In this regard, certain programs may 
be intended solely for the purpose of performing certain 
calculations. Such a program might be designed such 
that there should not be any user interaction whatsoev- 
er. If such a program were to be tampered with, instruc- 
tions may have been inserted to create an erroneous 
message to the user which may cause a security 
breach. For example, a screen may be displayed to the 
user that there has been a system failure and that it is 
necessary for the user to enter his secret password to 
resume operation. Such a program may automatically 
transmit the password to a party who will then have ac- 
cess to the password and any other information entered 
on such a screen. 

[0085] If a program is given the authority to display 
information to the user, as indicated in block 240, this 
authority may be restricted, for example, by only permit- 
ting display in a special window, or only on special con- 
soles. 

[0086] If the authority identified in block 238 was not 
selected, then a check is made as indicated in the Figure 
8, block 242 as to whether the program is to have the 
authority to solicit input from the user. If so, then this 
authority may be qualified by specifying possible restric- 
tions, for example, via soliciting from a special window 
or terminal, (244). 

[0087] If the authority identified in block 242 is not se- 
lected, then a check is made as to whether the program 
is to have the authority to solicit digital signatures (246). 
In this regard, a mischievous program might trick a user 
by displaying one set of information, but causing the ac- 
tual digital signature to be applied to an entirely different 
set of digital material. Thus, by requiring PAI authoriza- 
tion to solicit and/or perform digital signature operations, 
an unauthorized program is prevented from mimicking 
the external attributes of an authorized program, but in- 
ternally applying the user's digital signature capability to 
fraudulent material. 

[0088] If the program is authorized to solicit digital sig- 
natures, limitations may be placed on this authority as 
indicated in block 248. Thus, the program may be only 
allowed to effect digital signatures on material with lim- 
ited scope, value, authority or other characteristics. 
[0089] If the authority identified in block 246 is not se- 
lected, then a check is made to determine whether a 
program may have authority to direct robot devices, or 
any specified computer equipment or computer related 
devices. If such authority is selected, qualifications may 
be placed on such authority by specifying the details and 
scope of control over such equipment (252). 
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[0090] If the authority identified in block 250 is not se- 
lected, then a check is made to determine whether ac- 
cess is to be generally limited by security class (254). 
Thus, certain resources, files, etc. may be associated 
with a particular security class, such as secret, sensitive, s 
etc. If such authority is to be associated with the pro- 
gram, then restrictions may likewise be specified, in- 
cluding designations of the particular security level 
(256). 

[0091] If the authority identified in block 254 is not se- 
lected, then a check is made as to whether any other 
computer function or resources are to be controlled 
(258). If so, then the user is prompted to specify details 
as to such other computer functions or resources (260). 
[0092] If the authority identified in block 258 is not se- 
lected, then a check is made to determine whether the 
user has finished specifying authority (262) as shown in 
Fig. 9A. If the user has not finished specifying authority, 
then a message is issued indicating that the user is at- 
tempting to specify an unknown authority specified 
(264) since the array of authority selections has, at this 
point, been exhausted. The routine then routine branch- 
es back to Figure 6, at entry point G to resume process- 
ing at block 210. 

[0093] If the user has finished specifying authority, as 
determined in block 262, all previously defined authori- 
zations are collected and the PAI structure shown in Fig- 
ure 2 is completed, except for digital signature related 
entries. 

[0094] A check is then made in block 268 to determine 
whether the PAI structure is to be digitally signed. If so, 
then the appropriate digital signature operation is per- 
formed on the PAI structure, as indicated in block 270. 
The digital signature may be performed in accordance 
with the teachings in the inventor's U.S. Patent Nos. 
4,868,B77 and 5,005,200 or by using more conventional 
digital signature and certification techniques as desired. 
Thereafter, the PAI is stored using, for example, one of 
the approaches set forth in Figures 3A through 3D so 
that it is associated with its program 272 and the routine 
is thereafter exited. 

[0095] Turning to Figure 9B, at entry point F, after 
each of the authorizations described in regard to blocks 
21 2 through 258 have been selected, and an indication 
of the selection recorded, the routine branches to block 
274 to determine whether the authority specification is 
being digitally signed. If the authority is not being digit- 
ally signed, then the newly defined authority is added to 
the authorization information for the associated program 
(280) and the routine branches back to block 210 at en- 
try point G in Figure 6. 

[0096] If the authority is to be digitally signed, then a 
check is made as to whether the enhanced certification 
(with authority) is being used in accordance with the in- 
ventor's U.S. Patent Nos. 4,868,877 and 5,005,200 
(276). If no, then the routine branches to block 280 as 
described above. 

[0097] If enhanced digital certification is being used, 


then a check is made to determine whether the user's 
enhanced authority certificate, as described in the 
above-identified patents, permits assigning this particu- 
lar program's authority specification. If the enhanced au- 
thority certificate does permit assigning such authority, 
then the above-identified processing in block 280 is per- 
formed. If not, then a message is issued to the user that 
"Your certificate does not permit assigning this level of 
program authority" as indicated in block 282. The rou- 
tine then branches back to Figure 6 and entry point G 
for the processing of block 210. 
[0098] Figures 10 and 11 illustrate the sequence of 
operations of a supervisor program for controlling the 
processing of a program being executed in accordance 
with its program authorization information. The process- 
ing of a program "X° and its program authorization in- 
formation illustrated in Figure 10 is initiated while the 
computer is executing a supervisor routine. As shown 
in Figure 10 at 300, a calling program calls program X 
for execution. Thereafter, a program control block is cre- 
ated for program X. The program control block created 
will not be added to the top of the execution stack until 
it is determined that the program is permitted to be in- 
voked and verification is successful completed. Thus, if 
the program fails a security check, it will not be placed 
in the program execution chain. In addition to creating 
a "tentative" program control block, the called program 
will be located through an appropriate program directory 
during the processing in block 302. 
[0099] Thereafter, a check is made at block 304 to de- 
termine whether PAI has yet been associated with pro- 
gram X so as to place program X in the so-called "safety 
box" described above. This PAI may or may not be 
signed depending upon its particular application as de- 
scribed above. 

[0100] If no PAI has yet been associated with the pro- 
gram, then a check is made to determine whether the 
program has an associated signed "pedigree" from the 
manufacturer (306). Thus, if a well known manufacturer 
ol programs has signed the program with a public key 
or digital certificate, then, if desired, such a program may 
be assigned whatever level of authority desired depend- 
ing upon how much the manufacturer is trusted and the 
system may permit execution of such program. Such a 
digital signature from the manufacturer can be used to 
verify that the associated program had not been infected 
with a virus since it can be determined whether or not 
the program is exactly the same as it was when it was 
generated by the manufacturer. 
[01 01] If the check in block 306 indicates that there is 
a digital signature from the manufacturer in block 308, 
the manufacturer's "pedigree" will be verified by verify- 
ing the digital signature and performing whatever certi- 
fication and authorization checks are appropriate, given 
the trust criteria which has previously been established 
by the user (and signed by a manufacturer in which the 
user has previously established trust). Mechanisms for 
performing digital signatures which delegate authority 
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are specified in detail in the inventor's U.S. Patent Nos. 
4,868,877 and 5,005,200, which patents have been ex- 
pressly incorporated herein by reference. 
[0102] Depending upon the outcome of verification 
operations in block 308, a decision is made in block 320 s 
as to whether the manufacturer's pedigree is accepta- 
ble. If the manufacturer's pedigree is not acceptable, the 
routine branches to block 324 where the execution of 
the program is suppressed, as will be explained further 
below. 

[0103] If the manufacturer's pedigree is acceptable, 
then the routine branches to block 326 where storage is 
allocated for the program and the program is loaded in 
a manner to be described in detail below. 
[0104] As indicated at block 310, if it is determined 
that a PAI has been associated with program X, a check 
is made to determine whether the PAI is signed. If the 
PAI is signed, then as indicated at block 316, the signa- 
tures are verified. In the presently preferred embodi- 
ment, signatures are verified through a certificate hier- 
archy. The preferred methodology for determining 
whether the signatures are valid and whether they are 
trusted by the caller and whether the authority delegated 
by the program is permitted to have been delegated by 
the signer is taught in the inventor's U.S. Patent Nos. 
4,868,877 and 5,005,200. As indicated in these patents, 
the trust level may be determined by which high level 
public keys, and/or metacertifiers have been specified 
as trusted by the user. Alternatively, more conventional 
digital signature techniques may be employed. 
[0105] Depending upon the processing in block 316, 
a decision is made in block 322 whether the signatures . 
are valid, authorized and trusted. If the signatures are 
not determined to be valid, then the routine branches to 
block 324 where the execution in program X is sup- 
pressed. 

[0106] If the check in block 310 reveals that the PAI 
is not signed, then a further check is determined at 312 
as to whether the particular system or application de- 
mands that the PAI be signed (312). If, for example, a 
user generated program is being executed for the user's 
own use, then no signature may be necessary since the 
program is not being distributed and the user trusts what 
he has done. If it is determined in block 312 that no dig- 
ital signature was necessary, then block 318 would ac- 
cept and use the unsigned PAI and storage would be 
allocated and the program X would be loaded (326). 
[01 07] If it is determined that a digital signature is nec- 
essary at block 31 2, then a check is made at block 31 4 
as to whether the system has a "minimal" authority de- 
fault for programs that have no explicit PAI or an un- 
signed PAI. Thus, for example, the system may permit 
a program to run under a minimum authority default as 
long as it does not attempt to modify any permanent file. 
If there is no minimum authority default, then the exe- 
cution of the program is suppressed (324). In the proc- 
ess of suppressing the execution of the program, an er- 
ror code or message will be returned to the calling pro- 


gram. For example, a message may be displayed to the 
calling program that "program X does not have valid, 
signed authorization." The routine then branches to 
block 410 which operate to actually suppress the exe- 
cution as will be explained further below. 
[0108] If the processing in blocks 322 and 316 reveal 
that the signatures are valid, then the processing in 
block 326 is performed. Initially, storage is allocated for 
the program. The program may or may not be loaded 
into memory which only the supervisor is allowed to alter 
depending upon the constraints built into the computer 
system and the nature of the program. If the program 
modifies itself, then it cannot be loaded into memory 
which only the supervisor is allowed to alter 
[0109] Thereafter, the program X^ program authoriz- 
ing information is combined, as appropriate, with the PAI 
associated with the PCB of the calling program, if any. 
This combined PAI, which may include multiple PAI's, is 
then stored in an area of storage which cannot generally 
be modified by the program and the address of the PAI 
is stored in the process control block (PCB) as indicated 
in field 156 of Figure 5. Thus, if program X is called by 
a calling program, it is subject to all its own constraints 
as well as being combined in some way with the con- 
straints of the calling program, which aggregate con- 
straints are embodied into program X's PAI. In this fash- 
ion, a calling program may not be permitted to exceed 
its assigned bounds by merely calling another program. 
There are many alternative ways that a program's PAI 
could be combined with the PAI of the program which 
invokes it -- depending on the strategies which are ap- 
plicable to the current environment, and the inherent na- 
ture of the programs themselves. It may even be likely 
that even the method of combination is itself one of the 
PAI authorities, or qualifiers, of either or both the invok- 
ing or invoked program. 

[011 0] For example, it is reasonable to restrict a called 
program to the lesser of its "normal" PAI authority and 
that of its calling program -- to insure the calling program 
cannot mischievously misuse the called program's 
greater authority to circumvent its own limitations. 
[0111] On the other hand, for called programs which 
carefully verify their own actions, it could be possible to 
allow the called program greater inherent authority than 
the program which calls it - this way sensitive resources 
could be made available to wider use by mediating such 
use through trusted sub-programs. The possibilities for 
such combination must be carefully considered, not only 
by the designers of the underlying control system, but 
also by those who assign authority to each program. 
Thereafter, the program is loaded and the hash of the 
program is computed based on the algorithm specified 
in the program's PAL 

[0112] Turning back to block 314, if it is determined 
that the system has a minimum authority default, then 
as indicated at block 328, the minimum default authority 
is used. Such minimum default authority is combined as 
appropriate with the PAI of the calling program, if any, 
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and inserted into the new PCB as explained above in 
conjunction with block 326. The storage for the PAI is 
allocated from memory that the program generally can- 
not alter. Thereafter, the storage is allocated tor the pro- 
gram as explained above in conjunction with block 326 
and the address is saved in the PCB. The processing in 
block 328 using the default authority does not involve 
computing a hash of the program and the routine 
branches to block 334 to prepare for program execution. 
[0113] Turning to block 330, a check is made to de- 
termine whether the computed program hash in block 
326 agrees the hash stored in the PAI. If the hashes do 
not match, then the routine branches to block 332 in 
which an error message is forwarded to the calling pro- 
gram such as "program X has been altered or damaged" 
and the routine branches to block 410 to suppress exe- 
cution of the program. 

[0114] In block 334, the program is prepared for initial 
execution, after it has been determined that the hashes 
match or after the processing in block 328. The prepa- 
ration for initial execution includes setting initial status 
and "resume" information in the program's PCB so that 
the program will start at the proper entry point. Addition- 
ally, the program's PCB will be placed on the top of the 
execution stack. 

[01 1 5] Turning to Figure 1 1 , in block 336 the execution 
of the current program either starts or resumes execu- 
tion upon being placed on top of the execution stack. 
The processing which occurs in blocks 336 through 410 
includes operations which are conventionally preformed 
to execute a program. Processing operations will now 
be described with emphasis on those operations involv- 
ing PAI processing. In block 336, the supervisor pre- 
pares to continue a program at a saved "resume" point 
by reloading (or loading) the state of various registers 
to reflect their state at the point in time when the program 
was last interrupted (or initialized). Additionally, system 
status information is restored, e.g., such as stack point- 
ers, etc., depending upon the particular system environ- 
ment being utilized. 

[0116] After the processing in block 336, if an appli- 
cation program is being executed, then the system 
switches from a "supervisor" mode to a "isolation" mode 
so that the program resumes execution in the isolation 
mode (338). In the isolation mode, the program is unable 
to affect computer resources except through protected 
supervisor calls which switch the computer back to the 
"supervisor" mode (it is noted that in certain cases and 
in certain environments, it may be possible that the pro- 
gram is designed and required to run in a "supervisor" 
mode. In this case, provided the program is properly au- 
thorized as defined in its PAI, it will at some point use a 
"supervisor" function to set the status in its PCB to en- 
able "supervisor" state operation. In such case, it would 
be appropriate to check that status and if set, to give 
control to the program supervisor state.). 
[0117] In block 340, it is presumed that the program 
has requested a controlled "supervisor" function. Under 


such circumstances the computer switches, e.g., by set- 
ting a predetermined status word, to the "supervisor" 
mode and passes control to a protected system monitor 
interrupt routine. The program's resume position is 
5 saved in the program's PCB and other appropriate sys- 
tem status is saved in the PCB. Afterwards the function 
and resources to be accessed are determined and the 
nature of the access, e.g., to read, to modify, and delete, 
etc. 

10 [0118] Additionally, in block 340, an examination is 
made of the PAI information stored in the process con- 
trol block. As a follow up to, or associated with, the 
processing in block 340, a check is made in block 342 
to determine whether the examined PAI is allowed ac- 
ts cess to the required resources or allowed to perform the 
required functions. For example, if an attempt is made 
to use electronic mail, a check is made of the PAI to de- 
termine whether the program is authorized to perform 
electronic mail functions and if so whether the mailing 

20 is limited to a set of mail identifiers. 

[0119] If the check at 342 reveals that the PAI does 
not allow the attempted function or resource access, 
then a error message is generated in block 344 to indi- 
cate that the program is attempting to exceed its limits, 

25 access to the resource or function is denied and an ap- 
propriate error code or message is generated. A check 
is then made in block 350 to determine whether the pro- 
gram attempting to achieve access should be informed 
that it has been denied access (350). If the check in 

30 block 350 reveals that the program should be so in- 
formed, then in block 352, the program is allowed to 
resume execution with a message indicating the type of 
access violation that caused the request to fail and be 
suppressed. The routine then branches back to block 

35 336 for resuming execution of the program. Under such 
circumstances, the program may be informed, for exam- 
ple, that its PAI is only authorized to read authority for a 
particular file whereas an attempt was made to write to 
that file. If the check at block 350 indicates that the call- 

40 ing program should not be informed, then appropriate 
status and related messages (for the calling program) 
are generated indicating termination due to an unspec- 
ified access violation 356. 

[0120] If the check in block 342 reveals that the PAI 
45 does allow access to the function or resource, then a 
check is made in block 346 to apply conventional access 
controls to ensure that the user of the program is still 
within the bounds of his authority. This check ensures 
that the function or resource request is within the scope 
so of that allowed by the system for this particular user. 
Thus, while a PAI may allow a program to access a cer- 
tain class of files, it may be that the security level asso- 
ciated with a particular user may not allow that user ac- 
cess to such files. Block 346 applies conventional secu- 
55 rity techniques to protect the system from a user who is 
not properly authorized. This check may, for example, 
be based upon a user identification code initially entered 
into the system upon sign-on. As indicated at block 348, 
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if the user was not authorized, then access is denied 
since the program is attempting to violate the user's ac- 
cess capability and appropriate error codes/messages 
are generated. Thereafter, the processing explained 
above with respect to block 350 and 352 is initiated. 
[0121] If the user is authorized as determined by the 
processing in block 346, then the function is performed 
as indicated in block 354. If the function is a program 
exit, then the routine exits the program via block 358, 
where the associated PCS is removed from the top of 
the execution stack. 

[0122] Further termination processing is performed in 
block 410, where any stray storage and resources that 
were accumulated during the execution of the program 
are released, including as necessary, the storage as- 
signed to program X and its PAI storage. The PCB and 
all associated storage are released and final status in- 
formation including error codes and messages, as ap- 
propriate are presented to the program's caller. There- 
after the routine branches back to block 336 to resume 
the calling program. 

[0123] Finally, turning back to block 354, if a program 
call is the function to be performed, then the routine 
branches to block 300 in Figure 10 to call the appropriate 
program. 

[01 24] While the invention has been described in con- 
nection with what is presently considered to be the most 
practical and prelerred embodiment, it is to be under- 
stood that the invention is not to be limited to the dis- 
closed embodiment, but on the contrary, is intended to 
cover various modifications and equivalent arrange- 
ments. 


Claims 

1. A computer system having processing means (2) 
for executing a plurality of incoming programs and 
a memory means (7) for storing program instruc- 
tions and data, comprising an apparatus for protect- 
ing a computer user from operations typically per- 
formable by a computer program executing on be- 
half of a user, said apparatus comprising: 

means for generating a hash of at least one in- 
struction of said incoming programs; 
means for storing a plurality of authorisation en- 
tries (32, 34, 36) in said memory means, where- 
in said entries qualify operations which an as- 
sociated program is permitted to perform when 
executed by said processing means; and 
means for storing in at least one segment, data 
for associating said authorisation entries with 
at least one program (24, 28). 

2. A computer system according to claim 1 , wherein 
said at least one segment includes means for stor- 
ing a hash of said associated program (24). 


3. A computer system according to claim 1 , wherein 
the means for storing a plurality of authorisation en- 
tries includes means for indicating at least one of 
the type of function and resource for each of said 

s entries (34). 

4. A computer system according to claim 1, wherein 
the means for storing a plurality of authorisation en- 
tries includes means for storing a qualification of au- 

io thority and abilities which has been granted to the 
program. 

5. A computer system according to claim 1 , further in- 
cluding means for storing a digital signature (40). 

15 

6. A computer system according to claim 5, further in- 
cluding means for indicating the authority granted 
to the signing party. 

20 7. a computer system according to claim 5, further in- 
cluding means for indicating that a plurality of digital 
signatures are necessary for at least one signature 
to be considered valid (44). 

25 8. A computer system in accordance with claim 1, 
wherein said means for storing a plurality of author- 
ization entries includes means for storing an indica- 
tion of the set of data to which said associated pro- 
gram has authority to access. 

30 

9. A computer system in accordance with claim 1, 
wherein said means for storing a plurality of author- 
ization entries includes means for storing an indica- 
tion of the set of fields of at least one file to which 

35 said associated program has the authority to ac- 
cess (212). 

10. A computer system in accordance with claim 1, 
wherein said means for storing a plurality of author- 

40 ization entries includes means for storing an indica- 
tion of whether said associated program has the au- 
thority to invoke programs (210). 

11. A computer system in accordance with claim 1, 
45 wherein said means for storing a plurality of author- 
ization entries includes means for storing an indica- 
tion of whether said associated program has au- 
thority to generate electronic mail (222). 

50 12. A computer system in accordance with claim 1, 
wherein said means for storing a plurality of author- 
ization entries includes means for storing an indica- 
tion of whether said associated program has au- 
thority to transmit data to other users (226). 

55 

13. A computer system in accordance with claim 1, 
wherein said means for storing a plurality of author- 
ization entries includes means for storing an indica- 
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tion of whether said associated program has au- 
thority to perform document release operations 
(228). 

14. A computer system in accordance with claim 1, 
wherein said means for storing a plurality of author- 
ization entries includes means for storing an indica- 
tion of the memory access privileges authorized 
with this program (232). 

15. A computer system in accordance with claim 1, 
wherein said means for storing a plurality of author- 
ization entries includes means for storing an indica- 
tion of at least one qualification of said associated 
program regarding the ability to display information 
to a user (238). 

16. A computer system in accordance with claim 1, 
wherein said means for storing a plurality of author- 
ization entries includes means for storing an indica- 
tion of at least one qualification on said associated 
program regarding the ability to solicit input on be- 
half of a user (247). 

17. A computer system in accordance with claim 1, 
wherein said means for storing a plurality of author- 
ization entries includes means for storing an indica- 
tion of at least one qualification on said associated 
program regarding the ability to solicit digital signa- 
tures on behalf of a user (246). 

18. A computer system in accordance with claim 1, 
wherein said means for storing a plurality of author- 
ization entries includes means for storing an indica- 
tion of at least one qualification on said associated 
program regarding the ability to control devices 
(250). 

19. A computer system in accordance with claim 1, 
wherein said means for storing a plurality of author- 
ization entries includes means for storing an indica- 
tion that access is limited by a security clearance. 

20. A computer system in accordance with claim 1, 
wherein said means for storing includes means for 
storing an indication that document release opera- 
tions may be performed. 

21. A computer system in accordance with claim 1, 
wherein said plurality of authorization entries are in- 
cluded as part of a digital signature. 

22. A method of operating a computer system including 
processing means (2) for executing a plurality of in- 
coming programs and memory means for storing at 
least one program (7), said computer system hav- 
ing a plurality of computer resources and being ca- 
pable of performing a wide range of information 


processing related functions under program con- 
trol, said method being for protecting a computer 
user from operations typically performable by a pro- 
gram while it is executing on behalf of a user, and 
5 comprising the steps of: 

generating a hash of at least one instruction of 
said incoming program; 
establishing a program authorising information 
10 data structure (Fig. 2) for storing a plurality of 

authorization entries each indicating at least 
one of those computer resources and informa- 
tion processing related functions which may be 
used by an associated program; 
*5 storing said program authorising information 

data structure (266); and 
associating the program authorising informa- 
tion data structure with at least one program to 
be executed by said computer system to there- 
to by protect the computer user from operations 
that might be performed by said at least one 
program, whereby the program authorising in- 
formation is available to be monitored when its 
associated program is executed (272). 

25 

23. A method in accordance with claim 22, further in- 
cluding the step of including a digital hash (24) of 
said program to be executed as part of the program 
authorisation information data structure. 

30 

24. A method in accordance with claim 22, further in- 
cluding the step of digitally signing at least a part of 
the program authorisation information data struc- 
ture with the private key of an authorising entity 

35 (270). 

25. A method according to claim 24, wherein the digit- 
ally signing step includes indicating that a plurality 
of digital signatures are required in order for any dig- 

40 ital signature to be valid (44). 

26. A method according to claim 24, wherein the digit- 
ally signing step includes the step of indicating at 
least one qualification of authority which has been 

45 granted to the signer (40). 

27. A method according to claim 22, wherein the pro- 
gram authorization information data structure is de- 
fined by a computer user before an associated pro- 
fit) gram is executed. 

28. A method according to claim 27, wherein said com- 
puter user has no special privileges and defines 
said program authorization information for said us- 

55 er*s own use. 

29. A method according to claim 22, wherein the step 
of establishing provides an indication of at least a 
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part of at least one data file to which the program 
may have access (212). 

30. A method according to claim 22, wherein the step 
of establishing provides an indication of at least one 
file to which a program to be executed has access 
and specifies the ability to write information in at 
least one file (216). 

31. A method according to claim 22, wherein the step 
of establishing provides an indication of the set of 
programs which are authorized to be invoked by 
said program (220). 

32. A method according to claim 22, further including 
the step of limiting, using said stored program au- 
thorizing information associated with a program to 
be executed, the use of at least one of the resources 
and functions which would otherwise be available 
to said program. 

33. A method according to claim 22, wherein the step 
of establishing indicates at least one rule governing 
the authority of said associated program to transmit 
information (226). 

34. A method according to claim 33, wherein at least 
one rule provides an indication of the authority to 
transmit information includes the step to utilize elec- 
tronic mail (222). 

35. A method according to claim 22, wherein the step 
of establishing provides at least one rule governing 
the program's ability to perform digital signatures. 

36. A method according to claim 22, wherein the step 
of establishing qualifies the program's ability to per- 
form document release operations. 

37. A method according to claim 22, wherein the step 
of establishing qualifies the program's ability to ex- 
ecute machine language instructions which are not 
subject to being fully monitored for authorization. 

38. A method according to claim 22, wherein the step 
of establishing qualifies the set of memory which the 
said associated program is permitted to access 
(212.216). 

39. A method according to claim 22, wherein the step 
of establishing indicates the set of qualifications 
governing the ability of the program to display infor- 
mation to the user (238). 

40. A method according to claim 22, wherein the step 
of establishing indicates the set of qualifications 
governing the ability of the program to solicit infor- 
mation from a user (242). 


41. A method according to claim 22, wherein the step 
of establishing indicates the set of qualifications 
governing the ability of the program to control com- 
puter controlled resources which are coupled to the 

s computer (250). 

42. A method according to claim 41 , wherein the set of 
qualifications governs the ability of the program to 
transmit information via a modem. 

10 

43. A method for executing programs in a computer 
system having means for executing a plurality of in- 
coming programs and a memory means coupled to 
said means for executing, for storing data and pro- 
fs gram instructions, said computer system being ca- 
pable of performing a wide range of information 
processing related operations under program con- 
trol for a computer user, said method comprising 
steps of: 

20 

identifying a program to be executed (300); 
generating a hash of at least one instruction of 
said program to be executed; 
determining whether a program authorising in- 

25 formation data structure has been associated 

with the program (304), wherein said program 
authorising data structure qualifies the ability of 
the program from performing information 
processing related operations which are avail- 

30 able to said computer user; 

examining said program authorising informa- 
tion data structure if one has been associated 
with said program (310, 330); 
determining from an examination of said pro- 

35 gram authorisation information whether the as- 

sociated program is allowed to perform an at- 
tempted information processing related opera- 
tion (342); and 

suppressing performance of said operation if 
40 said program authorising information data 

structure indicates that said program is not al- 
lowed to perform an attempted operation (344, 
410). 

45 44. a method according to claim 43, further including 
the step of checking said authorisation information 
prior to permitting said program to utilise a required 
resource. 

50 45. A method according to claim 43, further including 
the step of checking whether said program author- 
isation information data structure allows the per- 
formance of an operation defined in said associated 
program. 

55 

46. A method according to claim 43, further including 
the step of checking to determine whether a user 
has been assigned the authority to run programs 
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performing a predetermined operation (346). 

47. A method according to claim 43, further including 
the step of verifying any digital signature associated 
with said program authorization information data 
structure (316). 

48. A method according to claim 47, including the step 
of suppressing the execution of said program if said 
digital signature is not valid (322, 324). 

49. A method according to claim 43, further including 
the step of combining the authorizing information of 
said program with the authorizing information asso- 
ciated with a routine calling said program. 

50. A method according to claim 43, wherein said au- 
thorizing information data structure includes means 
for storing a hash of said program, and further in- 
cluding the step of computing the hash of said pro- 
gram and comparing the computed hash with said 
stored hash. 

51. A method according to claim 43, further including 
the step of verifying the authority associated with 
the signer of a digital signature (308). 

52. A method according to claim 43, further including 
the step of combining the authorizing information of 
said program with the authorizing information asso- 
ciated with a routine called by said program. 

53. A method according to claim 43, wherein said au- 
thorization information includes an indication of the 
set of data to which said associated program has 
authority to access. 

54. A method according to claim 43, wherein said pro- 
gram instructions are expressed in machine lan- 
guage code, and wherein said operations are per- 
formed through calls to a controlled supervisor 
which monitors and enforces the program authoriz- 
ing data structure. 

55. A method according to claim 43, further including 
the step of associating said program authorization 
information with a travelling program which includes 
instructions for transmitting itself to another desti- 
nation. 

56. A method according to claim 55, further including 
the stop of storing certificates as variables within a 
travelling program such that said variables can be 
operated on by the said program 

57. A method according to claim 43, wherein said pro- 
gram instructions are expressed in interpretive 
"pseudo" code which is processed by an interpreter 


program which monitors and enforces the said pro- 
gram authorizing data structure. 


1. Compute rsystem mil einer Verarbeitungseinrich- 
tung (2) zum Ausfuhren einer Vielzahl eingehender 
Programme und einer Speichereinrichtung (7) zum 

10 Speichem von Programmbefehlen und Daten mit 
einer Vorrichtung, um einen Computeranwender 
vor Operationen zu schutzen, die ublicherweise von 
einem Computerprogramm durchfuhrbar sind, das 
im Aultrag eines Anwenders ausgef uhrt wird, wobei 

is die Vorrichtung aufweist: 

eine Einrichtung zum Erzeugen einer Kontroll- 
summe von zumindest einem Befehl der einge- 
henden Programme; 

20 

eine Einrichtung zum Speichern einer Vielzahl 
von Berechtigungseintragen (32, 34, 36) in der 
Speichereinrichtung, wobei die Eintrage Ope- 
rationen qualifizieren, die ein zugeordnetes 
25 Prog ram m durchfuhren darf, wenn es von der 

Verarbeitungseinrichtung ausgefuhrt wird; und 

eine Einrichtung zum Speichern von Daten in 
zumindest einem Segment, um die Berechti- 
30 gungseintrage zumindest einem Programm 

(24, 28) zuzuordnen. 

2. Computersystem nach Anspruch 1 , wobei das zu- 
mindest eine Segment eine Einrichtung zum Spei- 

3$ chern einer Kontrollsumme des zugeordneten Pro- 
gramms (24) enthalt. 

3. Computersystem nach Anspruch 1, wobei die Ein- 
richtung zum Speichern einer Vielzahl von Berech- 

40 tigungseintragen eine Einrichtung zum Hinweisen 
auf zumindest die Funktionsart oder die Bezugs- 
quelle von jedem Eintrag (34) enthalt. 

4. Computersystem nach Anspruch 1 , wobei die Ein- 
45 richtung zum Speichern einer Vielzahl von Berech- 
tigungseintragen eine Einrichtung zum Speichern 
einer Qualif ikation der Berechtigung und der Fahig- 
keiten enthalt, die dem Programm erteilt bzw. ge- 
geben wurden. 

so 

5. Computersystem nach Anspruch 1, des weiteren 
mit einer Einrichtung zum Speichern einer digitalen 
Unterschrift (40). 

55 6. Computersystem nach Anspruch 5, des weiteren 
mit einer Einrichtung zum Hinweisen auf die Be- 
rechtigung, die der unterschreibenden Partei erteilt 
ist. 


5 Patentanspruche 
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7. Computersystem nach Anspruch 5, des weiteren 
mil einer Einrichtung zum Hinweisen darauf , daB ei- 
ne Vielzahl von digitalen Unterschriften fur zumin- 
dest eine Unterschrift erforderlich ist t um ats gultig 
betrachtet zu werden (44). 

8. Computersystem nach Anspruch 1 , wobei die Ein- 
richtung zum Speichern einer Vietzahl von Berech- 
tigungseintragen eine Einrichtung zum Speichern 
eines Hinweises auf den Datensatz enthalt, auf den 
das zugeordnete Programm Zugriffsberechtigung 
hat. 

9. Computersystem nach Anspruch 1, wobei die Ein- 
richtung zum Speichern einer Vielzahl von Berech- 
tigungseintragen eine Einrichtung zum Speichern 
eines Hinweises aul den Satz von Feldern von zu- 
mindest einer Datei enthalt, zu der das zugeordnete 
Programm die Zugriffsberechtigung hat (212). 

10. Computersystem nach Anspruch 1, wobei die Ein- 
richtung zum Speichern einer Vielzahl von Berech- 
tigungseintragen eine Einrichtung zum Speichern 
eines Hinweises enthalt, ob das zugeordnete Pro- 
gramm die Berechtigung hat, Programme aufzuru- 
fen (210). 

11. Computersystem nach Anspruch 1, wobei die Ein- 
richtung zum Speichern einer Vielzahl von Berech- 
tigungseintragen eine Einrichtung zum Speichern 
eines Hinweises enthalt, ob das zugeordnete Pro- 
gramm die Berechtigung zum Erzeugen einer elek- 
tronischen Briefubermittlung hat (222). 

12. Computersystem nach Anspruch 1, wobei die Ein- 
richtung zum Speichern einer Vielzahl von Berech- 
tigungseintragen eine Einrichtung zum Speichern 
eines Hinweises enthalt, ob das zugeordnete Pro- 
gramm die Berechtigung hat, Daten zu anderen An- 
wendem zu ubertragen (226). 

13. Computersystem nach Anspruch 1, wobei die Ein- 
richtung zum Speichern einer Vielzahl von Berech- 
tigungseintragen eine Einrichtung zum Speichern 
eines Hinweises enthalt, ob das zugeordnete Pro- 
gramm die Berechtigung hat, Operationen zum 
Freigeben von Dokumenten durchzufuhren (228). 

14. Computersystem nach Anspruch 1, wobei die Ein- 
richtung zum Speichern einer Vielzahl von Berech- 
tigungseintragen eine Einrichtung zum Speichern 
eines Hinweises auf die Speicherzugriffsprivilegien 
enthalt, die bei diesem Programm berechtigt sind 
(232). 

15. Computersystem nach Anspruch 1, wobei die Ein- 
richtung zum Speichern einer Vielzahl von Berech- 
tigungseintragen eine Einrichtung zum Speichern 


eines Hinweises auf zumindest eine Quaiifikation 
des zugeordneten Programms enthalt, die die Fa- 
higkeit betrifft, einem Anwender Informationen an- 
zuzeigen (238). 

5 

16. Computersystem nach Anspruch 1, wobei die Ein- 
richtung zum Speichern einer Vielzahl von Berech- 
tigungseintragen eine Einrichtung zum Speichern 
eines Hinweises auf zumindest eine Quaiifikation 

w des zugeordneten Programms enthalt, die die Fa- 
higkeit betrifft, eine Eingabe von einem Anwender 
zu erbitten (247). 

17. Computersystem nach Anspruch 1, wobei die Ein- 
is richtung zum Speichern einer Vielzahl von Berech- 

tigungseintragen eine Einrichtung zum Speichern 
eines Hinweises auf zumindest eine Quaiifikation 
des zugeordneten Programms enthalt, die die Fa- 
higkeit betrifft, Digitalunterschriften von einem An- 
20 wender zu erbitten (246). 

18. Computersystem nach Anspruch 1, wobei die Ein- 
richtung zum Speichern einer Vielzahl von Berech- 
tigungseintragen eine Einrichtung zum Speichern 

25 eines Hinweises auf zumindest eine Quaiifikation 
des zugeordneten Programms enthalt, die die Fa- 
higkeit betrifft, Vorrichtungen zu steuern (250). 

19. Computersystem nach Anspruch 1, wobei die Ein- 
30 richtung zum Speichern einer Vielzahl von Berech- 

tigungseintragen eine Einrichtung zum Speichern 
eines Hinweises enthalt, daB der Zugriff von einer 
Sicherheitsfreigabe eingeschrankt ist. 

35 20. Computersystem nach Anspruch 1, wobei die Ein- 
richtung zum Speichern eine Einrichtung zum Spei- 
chern eines Hinweises enthalt, daB Operationen 
zum Freigeben von Dokumenten ausgefuhrt wer- 
den kdnnen. 

40 

21. Computersystem nach Anspruch 1, wobei die Viel- 
zahl von Berechtigungseintragen als Teil einer Di- 
gitalunterschrift eingefugt sind. 

45 22. Verfahren zum Betreiben eines Computersystems 
mit einer Verarbeitungseinrichtung (2) zum Ausfuh- 
ren einer Vielzahl von eingehenden Programmen 
und einer Speichereinrichtung zum Speichern zu- 
mindest eines Programms (7), wobei das Compu- 

so tersystem eine Vielzahl von Computerbetriebsmit- 
teln aufweist und einen groGen Bereich von mit In- 
formationverarbeitung verwandten Funktionen un- 
ter Programmkontrolle durchfuhren kann, wobei 
das Verfahren zum Schutzen eines Computeran- 

55 wenders vor Operationen dient, die ublicherweise 
von einem Programm durchfuhrbar sind, wenn es 
im Auftrag von einem Anwender ausgefuhrt wird, 
und folgende Schritte aufweist: 
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Erzeugen einer Kontrolisumme von zumindest 
einem Befehl des eingehenden Programms; 

Schaffen einer Informationsdatenstruktur der 
Programmberechtigung (Fig. 2) zum Speichern 
einer Vielzahl von Berechtigungseintragen, die 
jeweils auf zumindest diese Computerbetriebs- 
mittel Oder die Informationsverarbeitung betref- 
fende Funktbnen hinweist, die von einem zu- 
geordneten Programm verwendet werden kon- 
nen; 

Speichern der Informationsdatenstruktur der 
Programmberechtigung (266); und 

Zuordnen der Informationsdatenstruktur der 
Programmberechtigung zu zumindest einem 
Programm, daB von dem Compute rsyst em 
ausgefuhrt werden soil, um dadurch den Com- 
puteranwender vor Operationen zu schutzen, 
die von zumindest einem Programm durchge- 
fuhrt werden konnen, wodurch die Information 
der Programmberechtigung zur Verfugung 
steht, um uberwacht zu werden, wenn ein ihr 
zugeordnetes Programm ausgefuhrt wird 
(272). 

23. Verfahren nach Anspruch 22, des weiteren mit dem 
Schritt des Einfugens einer digitalen Kontrolisum- 
me (24) des Programms, das ausgefuhrt werden 
soli, als Teil der Informationsdatenstruktur der Pro- 
grammberechtigung. 

24. Verfahren nach Anspruch 22, des weiteren mit dem 
Schritt des digitalen Unterschreibens zuminde- 
stens eines Teils der Informationsdatenstruktur der 
Programmberechtigung mit dem privaten Schlussel 
einer Berechtigungsdateneinheit (270). 

25. Verfahren nach Anspruch 24, wobei der Schritt des 
digitalen Unterschreibens das darauf Hinweisen 
auf wet st, daft eine Vielzahl digitaler Unterschriften 
erforderlich sind, damit jede digitate Unterschrift 
gultig ist (44). 

26. Verfahren nach Anspruch 24, wobei der Schritt des 
digitalen Unterschreibens den Schritt aufweist, auf 
zumindest eine Qualifikation der Berechtigung hin- 
zuweisen, die dem Unterschreibenden erteilt wurde 
(40). 

27. Verfahren nach Anspruch 22, wobei die Informati- 
onsdatenstruktur der Programmberechtigung von 
dem Computeranwender f estgelegt wird, bevor ein 
zugeordnetes Programm ausgefuhrt wird. 

28. Verfahren nach Anspruch 27, wobei der Computer- 
anwender keine speziellen Privilegien hat und die 


Information der programmberechtigung fur den ei- 
genen Gebrauch des Anwenders bestimmt. 

29. Verfahren nach Anspruch 22, wobei der Schritt des 
s Einrichtens einen Hinweis auf zumindest einen Teil 

zumindest einer Datendatei schafft, auf den das 
Programm Zugriff haben kann (212). 

30. Verfahren nach Anspruch 22, wobei der Schritt des 
to Einrichtens einen Hinweis auf zumindest eine Datei 

schafft, auf die ein Programm, das ausgefuhrt wer- 
den soli, Zugriff hat, und die Fahigkeit spezrfiziert, 
Information in zumindest eine Datei zu sen re i ben 
(216). 

15 

31. Verfahren nach Anspruch 22, wobei der Schritt des 
Einrichtens einen Hinweis auf den Satz von Pro- 
grammen schafft, die von dem Programm aufgeru- 
fen werden durfen (220). 

20 

32. Verfahren nach Anspruch 22, des weiteren mit dem 
Schritt des Begrenzens, wobei die gespeicherte In- 
formation der programmberechtigung, die einem 
Programm zugeordnet ist, das ausgefuhrt werden 

25 soil, verwendet wird, wobei die Verwendung von zu- 
mindest den Betriebsmitteln oder der Funktionen 
erfolgt, die anderenfalls dem Programm zur Verfu- 
gung standen. 

30 33. Verfahren nach Anspruch 22, wobei der Schritt des 
Einrichtens zumindest auf eine Regel hinweist, die 
die Berechtigung des zugeordneten Programms 
schutzt, Information zu ubertragen (226). 

35 34. Verfahren nach Anspruch 33, wobei zumindest eine 
Regel einen Hinweis auf die Berechtigung schafft, 
Information zu ubertragen, und den Schritt auf- 
weist, elektronische Briefubermittlung einzusetzen 
(222). 

40 

35. Verfahren nach Anspruch 22, wobei der Schritt des 
Einrichtens zumindest eine Regel schafft, die die 
Fahigkeit des Programms schutzt, digitate Unter- 
schriften durchzufuhren. 

45 

36. Verfahren nach Anspruch 22, wobei der Schritt des 
Einrichtens die Fahigkeit des Programms qualifi- 
ziert, Operationen zum Freigeben von Dokumenten 
durchzufuhren. 

so 

37. Verfahren nach Anspruch 22, wobei der Schritt des 
Einrichtens die Fahigkeit des Programms qualifi- 
ziert, Maschinensprachbefehle auszufuhren, die 
nicht voll der Berechtigungsuberwachung ausge- 

55 setzt sind. 

38. Verfahren nach Anspruch 22, wobei der Schritt des 
Einrichtens den Speichersatz qualifiziert, auf den 


15 


20 


19 


37 


EP 0 570 123 B1 


38 


das zugeordnete Programm zugreifen dart (212. 
216). 

39. Verfahren nach Anspruch 22, wobei der Schritt des 
Einrichtens den Satz von Qualifikationen anzeigl, 
die die Fahigkeit des Programms schutzen, dem 
Anwender Information anzuzeigen (238). 

40. Verfahren nach Anspruch 22, wobei der Schrrtt des 
Einrichtens auf den Satz von Qualifikationen hin- 
weist, der die Fahigkeit des Programms schutzt, In- 
formation von einem Anwender zu erbitten (242). 

41. Verfahren nach Anspruch 22, wobei der Schritt des 
Einrichtens auf den Satz von Qualifikationen hin- 
weist, die die Fahigkeit des Programms schutzen, 
computerkontrollierte Betriebsmittel zu kontrollie- 
ren, die mit dem Computer verbunden sind (250). 

42. Verfahren nach Anspruch 41, wobei der Satz von 
Qualifikationen die Fahigkeit des Programms 
schutzt, Information Ober ein Modem zu ubertra- 
gen. 

43. Verfahren zur Ausfuhrung von Programmen in ei- 
nem Compute rsystem mit einer Einrichtung zum 
Ausfuhren einer Vielzahl von eingehenden Pro- 
grammen und einer Speichereinrichtung, die mit 
der Einrichtung zum Ausfuhren zum Speichern von 
Daten und Programmbefehlen verbunden ist, wobei 
das Computersystem einen weiten Bereich von 
Operationen, die die Informationsverarbeitung be- 
treffen, unter Programmkontrolle f Or einen Compu- 
teranwender durchfuhren kann, wobei das Verfah- 
ren folgende Schritte aufweist: 

Identifizieren eines auszufuhrenden Pro- 
gramms (300); 

Erzeugen einer Kontrollsumme von zumindest 
einem Befehl des auszuluhrenden Pro- 
gramms; 


geordnete Programm eine versuchte Operati- 
on (342), die Informationsverarbeitung betrifft, 
ausfuhren dart; und 

s Unterdrucken der Durchfuhrung der Operation, 

wenn die Informationsdatenstruktur der Pro- 
grammberechtigung darauf hinweist, da3 die- 
ses Programm eine versuchte Operation nicht 
ausfuhren dart (344, 410). 

10 

44. Verfahren nach Anspruch 43, des weiteren mit dem 
Schrrtt des Prufens der Berechtigungsinformation, 
bevor dem Programm erlaubt wird, ein gefordertes 
Betriebsmittel einzusetzen. 

is 

45. Verfahren nach Anspruch 43, des weiteren mit dem 
Schrrtt des Prufens, ob die Informationsdatenstruk- 
tur der Programmberechtigung die Durchfuhrung 
einer Operation gestattet, die in dem zugeordneten 

20 Programm bestimmt ist. 

46. Verfahren nach Anspruch 43, des weiteren mit dem 
Schritt des Prufens, um zu bestimmen, ob ein An- 
wender die Berechtigung ubertragen bekommen 

25 hat, Programme zu starten, die eine bestimmte 
Operation durchfuhren (346). 

47. Verfahren nach Anspruch 43, des weiteren mit dem 
Schrrtt des Verifizierens irgendeiner digitalen Unter- 

30 schrift, die der Informationsdatenstruktur der Pro- 
grammberechtigung zugeordnet ist (316). 

48. Verfahren nach Anspruch 47 mit dem Schritt des 
Unterdruckens der Ausfuhrung des Programms, 

35 wenn die Digitalunterschrift nicht gultig ist (322, 
324). 

49. Verfahren nach Anspruch 43, des weiteren mit dem 
Schritt des Kombinierens der Berechtigungsinfor- 

40 matron von dem Programm mit der Berechtigungs- 
information, die einer Routine zugeordnet ist, die 
das Programm aufruft. 


Bestimmen, ob eine Informationsdatenstruktur 
der Programmberechtigung dem Programm 45 
zugeordnet ist (304), wobei die Datenstruktur 
der Programmberechtigung die Fahigkeit des 
Programms qualifiziert, Informationsverarbei- 
tung betreffende Operationen durchzufuhren, 
die dem Computeranwender zur VerfOgung so 
stehen; 

Untersuchen der Informationsdatenstruktur der 
Programmberechtigung, ob eine dem Pro- 
gramm zugeordnet worden ist (310, 330); ss 

Bestimmen aus einer Untersuchung der Infor- 
mation der Programmberechtigung, ob das zu- 


50. Verfahren nach Anspruch 43, wobei die Informati- 
onsdatenstruktur der Berechtigung eine Einrich- 
tung zum Speichern einer Kontrollsumme des Pro- 
gramms enthalt, und des weiteren mit dem Schritt 
des Berechnens der Kontrollsumme des Pro- 
gramms und des Vergleichens der berechneten 
Kontrollsumme mit der gespeicherten Kontrollsum- 
me. 

. Verfahren nach Anspruch 43, des weiteren mit dem 
Schritt des Verifizierens der Berechtigung, die dem 
mit einer Digitalunterschrift Unterschreibenden zu- 
geordnet ist (308). 

!. Verfahren nach Anspruch 43, des weiteren mit dem 
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Schritt des Kombinierens der Berechtigungsinfor- 
mation des Programms mil der Berechtigungsinfor- 
mation, die einer Routine zugeordnet ist, die von 
dem Programm aufgerufen wird. 

53. Veriahren nach Anspruch 43, wobei die Berechti- 
gungsinformation einen Hinweis auf den Datensatz 
enthalt, auf den das zugeordnete Programm Zu- 
griffsberechtigung hat. 

54. Veriahren nach Anspruch 43, wobei die Programm- 
befehle in Maschinensprache ausgedruckt sind, 
und wobei die Operationen uber Anrufe zu einem 
kontrollierten Supervisor ausgefuhrt werden, der 
die Berechtigungsdatenstruktur des Programms 
uberwacht und ihr Gettung verschafft. 

55. Veriahren nach Anspruch 43, des weiteren mit dem 
Schritt des Zuordnens der Information der Pro- 
grammberechtigung zu einem vorbeikommenden 
Programm, das Befehle enthalt, sich selbst zu an- 
deren Zielen zu ubertragen. 

56. Veriahren nach Anspruch 55, des weiteren mit dem 
Schritt des Speicherns von Zertifikaten als Varia- 
blen in einem vorbeikommenden Programm, derart, 
daG die Variablen von dem Programm angewendet 
werden konnen. 

57. Veriahren nach Anspruch 43, wobei die Programm- 
befehle in interpretierendem "Pseudo"-Code aus- 
gedruckt werden, der von einem Interpreterpro- 
gramm abgearbeitet werden, das die Berechttgung- 
datenstruktur des Programms uberwacht und ihr 
Gettung verschafft 


R even di cations 

1. Systeme inlormatique avec des moyens de traite- 
ment (2) pour executer une pluralite de program- 
mes entrant et des moyens de memoire (7) pour 
memoriser des instructions de programme et des 
donnees, comprenant un dispositif pour proteger un 
utilisateur informatique contre des operations pou- 
vant etre typiquement effectuees par un program- 
me informatique pour le compte d'un utilisateur, le- 
dit dispositif comprenant : 

des moyens pour generer un hachage d'au 
moins une instruction desdits programmes 
entrant ; 

des moyens pour memoriser une pluralite d'en- 
trees d'autorisation (32, 34, 36) dans lesdits 
moyens de memoire, dans lequel lesdites en- 
trees habilitent des operations qu'un program- 
me associe est autorise a effectuer quand il est 
execute par lesdits moyens de traitement ; et 


des moyens pour memoriser dans au moins un 
segment, des donnees pour associer lesdites 
entrees d'autorisation avec au moins un pro- 
gramme (24, 28). 

5 

2. Systeme informatique selon la revendication 1, 
dans lequel ledit au moins un segment inclut des 
moyens pour memoriser un hachage dudit pro- 
gramme associe (24). 

w 

3. Systeme informatique selon la revendication 1, 
dans lequel les moyens pour memoriser une plura- 
lite d'entrees d'autorisation incluent des moyens 
pour indiquer au moins Tun du type de fonction et 

*5 de ressource pour chacune desdites entrees (34). 

4. Systeme informatique selon la revendication 1, 
dans lequel les moyens pour memoriser une plura- 
lite d'entrees d'autorisation incluent des moyens 

20 pour memoriser une habitation d'autorisation et de 
capacit6s qui a ete accordee au programme. 

5. Systeme informatique selon la revendication 1 , in- 
cluant en outre des moyens pour m6moriser une 

25 signature numerique (40). 

6. Systeme informatique selon la revendication 5, in- 
cluant en outre des moyens pour indiquer I'autori- 
sation accordee a la partie signataire. 

30 . 

7. Systeme informatique selon la revendication 5, in- 
cluant en outre des moyens pour indiquer qu'une 
pluralite de signatures numeriques est necessaire 
pour qu'au moins une signature sort consideree 

3$ comme valable (44). 

8. Systeme informatique selon la revendication 1, 
dans lequel lesdits moyens pour memoriser une 
pluralite d'entrees d'autorisation incluent des 

40 moyens pour memoriser une indication de I'ensem- 
ble de donnees auquel ledit programme associe est 
autorise a accede r. 

9. Systeme informatique selon la revendication 1, 
45 dans lequel lesdits moyens pour memoriser une 

pluralite d'entrees d'autorisation incluent des 
moyens pour memoriser une indication de Pensem- 
ble de champs d'au moins un fichier auquel ledit 
programme associe est autorise a acceder (212). 

so 

10. Systeme informatique selon la revendication 1, 
dans lequel lesdits moyens pour memoriser une 
pluralite d'entrees d'autorisation incluent des 
moyens pour memoriser une indication pour savoir 

55 si ledit programme associe est autorise a appeler 
des programmes (210). 

11. Systeme informatique selon la revendication 1, 
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dans lequel lesdits moyens pour memoriser une 
plurality d'entrees d'autorisation incluent des 
moyens pour memoriser une indication pour savoir 
si ledit programme associe est autorise a generer 
du courrier eiectronique (222). 

12. Systeme informatique selon la revendication 1, 
dans lequel lesdits moyens pour memoriser une 
plurality d'entrees d'autorisation incluent des 
moyens pour memoriser une indication pour savoir 
si ledit programme associe est autorise a transmet- 
tre des donnees a d'autres utilisateurs (226). 

13. Systeme informatique selon la revendication 1, 
dans lequel lesdits moyens pour memoriser une 
pluralite d'entrees d'autorisation incluent des 
moyens pour memoriser une indication pour savoir 
si ledit programme associe est autorise a effect uer 
des operations de distribution de documents (228). 

14. Systeme informatique selon la revendication 1, 
dans lequel lesdits moyens pour memoriser une 
pluralite" d'entrees d'autorisation incluent des 
moyens pour memoriser une indication des privile- 
ges d'acces memoire autorises avec ce programme 
(232). 

15. Systeme informatique selon la revendication 1, 
dans lequel lesdits moyens pour memoriser une 
pluralite d'entrees d'autorisation incluent des 
moyens pour memoriser une indication d'au moins 
une habilitation dudit programme associe concer- 
nant la capacite d'afficher des informations pour un 
utilisateur (238). 

16. Systeme informatique selon la revendication 1, 
dans lequel lesdits moyens pour memoriser une 
pluralite d'entrees d'autorisation incluent des 
moyens pour memoriser une indication d'au moins 
une habilitation dudit programme associe concer- 
nant la capacite de demander une saisie pour le 
compte d'un utilisateur (247). 

17. Systeme informatique selon la revendication 1, 
dans lequel lesdits moyens pour memoriser une 
pluralite d'entrees d'autorisation incluent des 
moyens pour memoriser une indication d'au moins 
une habilitation dudit programme associe concer- 
nant la capacite de demander des signatures nu- 
meriques pour le compte d'un utilisateur (246). 

18. Systeme informatique selon la revendication 1, 
dans lequel lesdits moyens pour memoriser une 
pluralite d'entrees d'autorisation incluent des 
moyens pour memoriser une indication d'au moins 
une habilitation dudit programme associe concer- 
nant la capacite de commander des peripheriques 
(250). 


19. Systeme informatique selon la revendication 1, 
dans lequel lesdits moyens pour memoriser une 
pluralite d'entrees d'autorisation incluent des 
moyens pour memoriser une indication que faeces 

s est limite par une habilitation de securite. 

20. Systeme informatique sebn la revendication 1, 
dans lequel lesdits moyens de memorisation in- 
cluent des moyens pour memoriser une indication 

io selon laquelle des operations de distribution de do- 
cuments peuvent §tre effectuees. 

21. Systeme informatique selon la revendication 1, 
dans lequel ladite pluralite d'entrees d'autorisation 

*5 est incluse comme une partie d'une signature nu- 
merique. 

22. Proc6d6 Sexploitation d'un systeme informatique 
incluant des moyens de traitement (2) pour execu- 

20 ter une pluralite de programmes entrant et des 
moyens de memoire pour memoriser au moins un 
programme (7), ledit systeme informatique dispo- 
sant d'une pluralite de ressources informatiques et 
etant capable d'effectuer un grand choix de fonc- 
25 tions Ii6es au traitement informatique sous le con- 
sole d'un programme, ledit proc6d6 etant destine a 
proteger un utilisateur informatique contre les ope- 
rations pouvant etre typiquement effectuees par un 
programme quand il fonctionne pour le compte d'un 
30 utilisateur, et comprenant les etapes consistant a : 

generer un hachage d'au moins une instruction 
dudit programme entrant ; 
etablir une structure de donnees d'informations 
35 d'autorisation du programme (figure 2) pour 

memoriser une pluralite d'entrees d'autorisa- 
tion indiquant chacune au moins une des res- 
sources informatiques et des fonctions liees au 
traitement informatique qui peut etre utilisee 
40 par un programme associe : 

memoriser ladite structure de donn6es d'infor- 
mations d'autorisation du programme (266) ; et 
associer la structure de donn6es d'informations 
d'autorisation du programme avec au moins un 
45 programme a executer par ledit systeme infor- 

matique afin de proteger ainsi ('utilisateur infor- 
matique contre les operations qui pourraient 
etre effectuees par ledit au moins un program- 
me, les informations d'autorisation du program- 
50 me etant ainsi disponibles pour etre surveiliees 

quand leur programme associe est execute 
(272). 

23. Procede selon la revendication 22, comprenant en 
55 outre retape consistant a inclure un hachage nume- 

rique (24) dudit programme a executer comme une 
partie de la structure de donnees d'informations 
d'autorisation du programme. 
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24. Procede selon la revendication 22, comprenant en 
outre I'etape consistant a signer de fagon numeri- 
que au moins une partie de la structure de donnees 
d' informations d'autorisation du programme avec 
une cle privee d'une entite d'autorisation (270). 

25. Procede selon la revendication 24, dans lequel 
I'etape de signature numerique inclut le fait d'indi- 
quer qu'une pluralite de signatures numeriques est 
necessaire pour qu'une des signatures numeriques 
sort valide (44). 

26. Procede selon la revendication 24, dans lequel 
I'etape de signature numerique inclut I'etape con- 
sistant a indiquer au moins une habilitation d'auto- 
risation qui a ete accordee au signataire (40). 

27. Procede selon la revendication 22, dans lequel la 
structure de donnees d' informations d'autorisation 
du programme est definie par un utilisateur informa- 
tique avant qu'un programme associe ne soit exe- 
cute. 

28. ProcecJe selon la revendication 27, dans lequel I edit 
utilisateur inlormatique n'a pas de privileges, spe- 
ciaux et definit lesdites informations d'autorisation 
du programme pour I'usage propre dudit utilisateur. 

29. Procede selon la revendication 22, dans lequel 
I'etape d'etablissement fournit une indication d'au 
moins une partie d'au moins un fichier de donnees 
auquel le programme peut avoir acces (212). 

30. Procede selon la revendication 22, dans lequel 
I'etape d'etablissement fournit une indication d'au 
moins un fichier auquel un programme a executer 
a acces et specifie la capacite d'ecrire des informa- 
tions dans au moins un fichier (216). 

31. Procede selon la revendication 22, dans lequel 
I'etape d'etablissement fournit une indication de 
I'ensemble de programmes qui est autorise a etre 
appele par ledit programme (220). 

32. Procede selon la revendication 22, incluant en outre 
I'etape de limitation, utilisant lesdites informations 
d'autorisation du programme associees a un pro- 
gramme a executer, Putilisation d'au moins une des 
ressources et fonctions qui seraient autrement dis- 
ponibles pour ledit programme. 

33. Procede selon la revendication 22, dans lequel 
I'etape d'etablissement indique au moins une regie 
regissant I'autorisation dudit programme associe de 
transmettre des informations (226). 

34. Procede selon la revendication 33, dans lequel au 
moins une regie fournit une indication de I'autorisa- 


tion de transmettre des informations et inclut I'etape 
consistant a utiliser le courrier electronique (222). 

35. Procede selon la revendication 22, dans lequel 
s I'etape d'etablissement fournit au moins une regie 

regissant la capacite du programme d'effectuer des 
signatures numeriques. 

36. Procede selon la revendication 22, dans lequel 
10 I'etape d'etablissement habilite la capacite du pro- 
gramme d'effectuer des operations de distribution 
de documents. 

37. Procede selon la revendication 22, dans lequel 
*5 I'etape d'etablissement habilite la capacite du pro- 
gramme d'executer des instructions en langage 
machine qui ne sont pas soumises a etre entiere- 
ment surveillees pour Pautorisation. 

20 38. Procede selon la revendication 22, dans lequel 
I'etape d'etablissement habilite I'ensemble de me- 
moire auquel ledit programme associe est autorise 
aacceder (212, 216). 

■ 25 39. Procede selon la revendication 22, dans lequel 
I'etape d'etablissement indique I'ensemble d'habili- 
tations regissant la capacite du programme d'affi- 
cher des informations pour Putilisateur (238). 

30 40. Procede selon la revendication 22, dans lequel 
I'etape d'etablissement indique I'ensemble d'habili- 
tations regissant la capacite du programme de de- 
mander des informations a un utilisateur (242). 

35 41. Procede selon la revendication 22, dans lequel 
I'etape d'etablissement indique I'ensemble d'habili- 
tations regissant la capacite du programme de con- 
troler des ressources a commande informatique qui 
sont reliees a I'ordinateur (250). 

40 

42. Procede selon la revendication 41 , dans lequel I'en- 
semble d'habilitations regit la capacite du program- 
me de transmettre des informations par Pinterm6- 
diaire d'un modem. 

45 

43. Procede pour executer des programmes sur un sys- 
teme informatique avec des moyens pour executer 
une pluralite de programmes entrant et des moyens 
de memoire couples auxdfts moyens d'execution, 

so pour memoriser des donnees et des instructions de 
programme, ledit systeme informatique etant capa- 
ble d'effectuer un grand choix d'operations liees au 
traitement informatique sous le contrdle d'un pro- 
gramme pour un utilisateur informatique, ledit pro- 

55 ced6 comprenant les etapes consistant a : 

identifier un programme a executer (300) ; 
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generer un hachage d*au moins une instruction 
dudit programme a executer ; 

determiner si une structure de donnees d'infor- 
mations d'autorisation du programme a ete as- 
sociee au programme (304), dans lequel lad it e 
structure de donnees d'autorisation du pro- 
gramme habilite la capacite du programme 
d'effectuer des operations liees au traitement 
informatique qui sont disponibles pour ledit uti- 
lisateur intormatique ; 

examiner ladite structure de donnees defor- 
mations d'autorisation du programme si une 
telle structure a ete associee audit programme 
(310, 330) ; 

determiner d'apres un examen desdites infor- 
mations d'autorisation du programme si le pro- 
gramme associe est autorise a eftectuer une 
operation tentee liee au traitement intormatique 
(342) ; et 

supprimer I'execution de ladite operation si la- 
dite structure de donnees d' informations 
d'autorisation du programme indique que ledit 
programme n'est pas autorise a effectuer une 
operation tentee (344, 410). 

44. Procede selon la revendication 43, incluant en outre 
I'etape consistant a verifier lesdites informations 
d'autorisation avant de permettre audit programme 
d'utiliser une ressource necessaire. 

45. Procede selon la revendication 43, incluant en outre 
I'etape consistant a verifier si ladite structure de 
donnees d'informations d'autorisation du program- 
me permet I'execution d'une operation definie dans 
ledit programme associe. 

46. Procede selon la revendication 43, incluant en outre 
I'etape de verification pour determiner si un utilisa- 
teur a recu I'autorisation d'executer des program- 
mes effectuant une operation predeterminee (346). 

47. Precede selon la revendication 43, incluant en outre 
I'etape consistant a verifier toute signature numeri- 
que associee a ladite structure de donnees d'infor- 
mations d'autorisation du programme (316). 

48. Procede selon la revendication 47, incluant I'etape 
consistant a supprimer I'execution dudit program- 
me si ladite signature numertque n'est pas valable 
(322, 324). 

49. Procede selon la revendication 43, incluant en outre 
I'etape consistant a combiner les informations 
d'autorisation dudit programme avec les informa- 


tions d'autorisation associees a une routine appe- 
lant ledit programme. 

50. Procede selon la revendication 43, dans lequel la- 
s dite structure de donnees d'informations d'autorisa- 
tion inclut des moyens pour memoriser un hachage 
dudit programme, et incluant en outre fetape con- 
sistant a calculer le hachage dudit programme et a 
comparer le hachage calcule audit hachage memo- 

io rise. 

51 . Procede selon la revendication 43, incluant en outre 
I'etape consistant a verifier I'autorisation associee 
au signataire d'une signature numerique (308). 

15 

52. Procede selon la revendication 43, incluant en outre 
I'etape consistant k combiner les informations 
d'autorisation dudit programme avec les informa- 
tions d'autorisation associees a une routine appe- 

20 lee par ledit programme. 

53. Procede selon la revendication 43, dans lequel les- 
dites informations d'autorisation incluent une indi- 
cation de I'ensemble de donnees auquel ledit pro- 

25 gramme associe est autorise a accede r. 

54. Procede selon la revendication 43, dans lequel les- 
dites instructions de programme sont exprimees en 
code de langage machine, et dans lequel lesdites 

30 operations sont effectuees par des appels a un su- 
pervisee commande qui surveille et applique la 
structure de donndes d'autorisation du programme. 

55. Procede selon la revendication 43, comprenant en 
35 outre I'etape consistant a associer lesdites informa- 
tions d'autorisation du programme avec un pro- 
gramme mobile qui inclut des instructions pour se 
transmettre a une autre destination. 

40 56. Procede selon la revendication 55, incluant en outre 
I'etape consistant a memoriser des certificats com- 
me des variables a I'interieur d'un programme mo- 
bile de sorte que ledit programme peut agir sur les- 
dites variables. 

45 

57. Procede selon la revendication 43, dans lequel les- 
dites instructions de programme sont exprimees en 
"pseudo" code interpretatif qui est traite par un in- 
terpretateur qui surveille et applique ladite structure 
50 de donnees d'autorisation du programme. 


55 
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KEYBOARD/ 
CRT 


PROCESSOR 
W/MAIN 
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PROGRAM & PAI 
STORAGE 


7- 

TERMINAL A 


,8 


MODEM 


TERMINAL 
B 


IO 


MODEM 


TERMINAL 
N 


Fig. 1 


Fig. 3D 



ONE USER'S PRIVATE PAI ASSOCIATION DATA 


1st SET OF ASSOCIATION RULES 
THAT ASSOCIATE THIS PAI INFO 
WITH ONE OR MORE PROGRAMS, (e.g., 
PROGX) 


(MAY BE SIMPLY A PROGRAM NAME; 
MAY BE VERY COMPLEX RULE ASSOC 
SET) 


137 


SPECIFICATION OF PAI RULES 

( OR PERHAPS POINTER TO A 
RULE SET ) 


Nth SET OF 
PROG ASSOC 
RULES & PAI 
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SIZE OF FOLLOWING AUTHORIZATION INFO. - 20 


TYPE OF PROGRAM (OR OBJECT) 


ID OF ALGORITHM USED TO HASH PROGRAM |-«22 

24 

HASH OF PROGRAM 

' -26 
28 

29 
-K30 


NAME OF PROGRAM 


DATE OF AUTHORIZATION 


SIZE OF SERIES OF AUTHORIZATION ENTRIES: 


SIZE OF THIS ENTRY 


TYPE OF FUNCTION OR RESOURCE 


FUNCTION/RESOURCE SPECIFICATION 
(POSSIBLY USING WILDCARDS') 


LEVEL OF AUTHORITY WHICH 
HAS BEEN GRANTED 


.32 


AUTHORIZATION SIGNATURE: 


SIGNATURE: 

• REFERENCE SIGNER'S CERTIFICATE 
» DATE OF SIGNING 

• ALGORITHM ID'S (HASH & PUB KEY) 

• AUTHORITY INVOKED FOR SIGNING 
, (WITH ENHANCED AUTHORITY) 

HASH OF "AUTHORIZING SPEC* 


. -40 


RESULT OF SIGNER'S PRIVATE 
KEY OPERATION IN ABOVE ITEMS 


POSSIBLE 2ND SIGNATURE 
(COSIGNATURE) 


POSSIBLE NTH SIGNATURE 
(COSIGNATURE) 


OPTIONAL: INCLUDE CERTIFICATES 
FOR ABOVE SIGNATURES. 


Fig. 2 
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-44 


-46 


> AUTHORIZING SPEC 


\ AUTHORIZATION 
' SEAL 


-48 
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DIRECTORY OF PROGRAMS 
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NAME OF 
PROGRAM 
1 


NAME OF 
PROGRAM 
2 
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NAME OF 
PROGRAM 
N 


94 \ 96 


Fig. 3 A 


r IIO 


AUTHORIZING PROGRAM 
INFO 


PROGRAM 


Fig. 


II2 


TYPE 


PROGRAM(S') SIGNED / 
AUTHORIZATION (PAI) 


PROGRAM(S) \ 
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DATA ( |20 - 


Fig. 3C 


114 


TYPE OF OBJECT 
(OR DESCRIPTION) 


AUTHORIZATION FOR OBJECT'S 
PROGRAM(S) 


OBJECT PROGRAM(S)- 
PROGRAM MAY BE DIVIDED INTO 
SEVERAL LOGICAL SEGMENTS 
TO ACCOMMODATE DIFFERENT 
USES OF THE OBJECT 


DATA ASSOCIATED WITH THIS 
INSTANCE OF THE OBJECT. 
THIS DATA IS TYPICALLY 
NOT SIGNED BY A COMMON 
AUTHORITY 
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USER RECEIVES PROGRAM 
OF INTEREST, BUT OF 
UNKNOWN TRUST. PROGRAM 
MAY ARRIVE OVER TELE- 
COMMUNICATIONS CHANNEL 
OR DISKETTE 


TO PROTECT HIMSELF, USER 
DEFINES PAI WHICH RESTRICTS 
PROGRAM TO ONLY UNIMPORTANT 
OR EXPENDABLE FILES. AND NO 
PRIVILEGED FUNCTIONS. SYSTEM 
ASSOCIATES THIS PAI WITH THE 
PROGRAM. (SEE FIG. 3) 


-I2I 


Fig. 4 


USER CAN SAFELY RUN THE PROGRAM 
NOW THAT IT IS IN A "SAFETY BOX" 


— 124 


J PREVIOUS PCB 


t 


STORAGE WHERE PROGRAM 
IS LOADED 


SIZE OF PROGRAM 


AUTHORIZATION INFO FOR 
THIS PROGRAM 


ENTRY/RESUME ADDRESS 
FOR PROGRAM 


OTHER STATUS 
INFORMATION 


TERMINATION/ERROR INFO. 


VARIOUS POINTERS. ETC. 
WHICH ARE MAINTAINED SO 
THAT "STRAY" RESOURCES 
CAN BE RELEASED WHEN 
PROGRAM ENDS. 


CALLER'S PCB 


"ORIGINATING" PCB 


I40 


Fig. 5 


.150 



J 53 


PROGRAM IN 
y STORAGE y f 


158 


I57 


IMAGE OF (ONE OR MORE) 
PAIs. 


■H70 
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C ENTER J 

ASK USER FOR 
NAME OF PROGRAM 


200 


—202 


Fig. 6 


DETERMINE WHETHER USER 
WISHES TO -SIGW AUTHORITY, 
OR WISHES TO SET PROGRAM'S 
AUTHORITY FOR USER'S OWN 
PROTECTION 


— 204 



206 


GET USER'S CERTIFICATE 
AND SET SWITCH INDICATING 
SIGNATURE BEING DONE 


T 


ASK USER WHAT AUTHORITY 
SHOULD BE ASSIGNED TO 
PROGRAM 



~2lO 


2I4 


2I6 


ASK USER TO SPECIFY 
THE FILE NAME OR 
STEM. OR WILDCARD 
FILE NAME PATTERN 


22! 


ASK USER 
TO OUAUFY 


HAVE USER SPECIFY 
TYPE OF ACCESS: 

• READ ONLY 

• INSERT INFORMATION 

• UPDATE INFORMATION 

• DELETE INFORMATION 

• ERASE FILE 

• TRANSMIT FILE 


OTHER PROGRAMS? 


ASK USER 
TO QUALIFY 


*223 
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A ) PROGRAM ALLOWED 
TO GENERATE 
ELECTRONIC MAIL? 


222 



YES 


226 


224 


0 


ASK USER WHETHER THIS 
SHOULD BE QUALIFIED AND 
IF SO, WHAT THE 
QUALIFICATION IS 



PROGRAM ALLOWED TO 
TRANSMIT DATA TO 
OTHER USERS? 


YES 


228 


PROGRAM ALLOWED 
TO PERFORM 230 
DOCUMENT RE LEASE? ( 


YES 


232 


DETERMINE THE CLASS OF 
DOCUMENTS TO WHICH 
THIS AUTHORITY APPLIES 
[e.g. Top Secret", 
"Secret". "Sensitive", etc.] 
OR: ENGINEERING RELEASE 


238 



IS PROGRAM ALLOWED 
TO EXECUTE MACHINE 
LANGUAGE PROGRAMS? 
YES 


33 


HAVE USER SPECIFY 
QUALIFICATION 


234 


SHOULD PROGRAM BE 
GIVEN SPECIAL MEMORY 
ACCESS PRIVILEGES? 
YES 



DOES PROGRAM HAVE 
AUTHORITY TO 
DISPLAY INFO TO 
USER? 


YES 


236 


HAVE USER SPECIFY 
QUALIFICATION AS 
APPROPRIATE 


SUPPLY POSSIBLE 
RESTRICTIONS, e.g. 
ONLY IN A SPECIAL 
WINDOW, OR ON SPECIAL 
CONSOLE. 


— r- 

240 


0 


Fig. 7 
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DOES PROGRAM HAVE 
AUTHORITY TO SOLICIT 
' INPUT FROM USER? 


244 


0 


NO 


^YES 


SPECIFY POSSIBLE 
RESTRICTIONS, e.g. 
SPECIAL WINDOW, OR 
TERMINAL, ETC. 



1 


248 


246 


AUTHORITY TO 
SOLICIT DIGITAL 
SIGNATURES? 

YES 


250 


NO AUTHORITY TO 
DIRECT "ROBOT* 
DEVICES (or any 
other computer 
devices equipment) 

YES 


OETERMINE TYPES OF SIGNATURES 
ALLOWED, AND, IF APPROPRIATE 
THE LIMITS OF THE AUTHORITY, 
OR THE SCOPE OF THE MATERIAL 
WHICH MAY BE SIGNED 


252 


254 


NO 


SPECIFY THE 

DETAILS AND THE 
SCOPE OF 
CONTROL 


ACCESS TO BE 
GENERALLY 
LIMITED BY 
SECURITY CLASS? 

YES 


256 


NO 


SPECIFY LEVEL(S); 
SUCH AS "Secret", 
•Sensitive", 
■Confidential*, etc. 
OR ALL OR NONE 


258 


ANY OTHER COMPUTER 
FUNCTION OR RESOURCE 
TO BE CONTROLLED? 

YES 


260- 


HAVE USER SPECIFY 
THE DETAILS 


NO 


© 


Fig. 8 
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SPECIFYING 
AUTHORITY? 



HAS USER FINISHED 


264 


ISSUE MSGrUNKNOWN 
AUTHORITY SPECIFIED" 


-0 


COLLECT ALL PREVIOUSLY 
DEFINED AUTHORIZATIONS. 
BUILD PAI STRUCTURE 


Fig. 9 A 


TO BE 
DIGITALLY 
SIGNED? 



270 


PERFORM APPROPRIATE 
DIGITAL SIGNATURE 
ON PAI STRUCTURE 


RECORD PAI AND OPTIONAL 

DIGITAL SIGNATURE, AS 
APPROPRIATE. SO IT CAN BE 
ASSOCIATED WITH THE PROGRAM 


273 


NO 


( °" ) 


©- 


280 
I 


IS ENHANCED 
CERTIFICATION 
WITH AUTHORITY 
BEING USED? 


NO 



IS THIS AUTHORITY 
BEING DIGITALLY 
SIGNED? 


ADD THIS NEWLY 
DEFINED AUTHORITY 
TO AUTHORIZATION 
INFO FOR THIS 
PROGRAM 


Fig. 9B 


DOES USER'S 
ENHANCED 
AUTHORITY 
CERTIFICATE PERMIT 
ASSIGNING THIS 
PARTICULAR 
PROGRAM 
AUTHORITY 
SPEC? 


NO: ISSUE MESSAGE "YOUR 
CERTIFICATE DOES NOT 
PERMIT ASSIGNING THIS LEVEL 
OF PROGRAM AUTHORITY" 



32 


EP 0 570 123 B1 


300 y^n—^ 

\PROOX/ 
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Fig. 10 


CREATE PCB & 
LOCATE PROG. X 


VERIFY 
SIGNATURE 
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USE DEFAULT 

AUTH. 


320 



MANUFACTURER'S 
PEDIGREE 
* ACCEPTABLE? 


SUPPRESS 
EXECUTION 
OF PROG. X 


ALLOCATE STORAGE 
AND LOAD PROG X 



330 

'do hashes\ no 

k MATCH? 


^332 


GENERATE ERROR 
MESSAGE 


PREPARE FOR 
INITIAL EXEC 
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START/RESUME 
EXECUTION 


I 


—334 


RESUME EXECIN | — 338 
ISOLATION MODE 


I 


340 


REQUEST SUPERVISOR 
& EXAMINE PAI 


DOES PAI 
ALLOW FUNCTION/ 
RESOURCE? 


344 



IS USER JYES 
AUTHORIZED? Jr 



\, NO 



I YES 

T r 


4 

PERFORM 



FUNCTION 


CALL 



GENERATE ERROR 
MESSAGE 


348 


DENY 
ACCESS 


.354 


exit! 


REMOVE PCB FROM 
TOP OF STACK 


358 


52 


INDICATE TYPE OF 
ACCESS VIOLATION 



YES 


SHOULD PROGRAM 
SEEKING 
INAPPROPRIATE 
ACCESS BE 
INFORMED? 


SET STATUS MESSAGE 

INDICATING 

TERMINATION 


"356 


TERMINATION 
PROCESSING 
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Fig. 1 1 
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